Bug 1969285

Summary: Controlling access of podman for users
Product: Red Hat Enterprise Linux 8 Reporter: Ashish Reddy <asreddy>
Component: podmanAssignee: Daniel Walsh <dwalsh>
Status: CLOSED WONTFIX QA Contact: atomic-bugs <atomic-bugs>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 8.2CC: bbaude, dornelas, dwalsh, jligon, jnovy, lsm5, mheon, pthomas, tsweeney, umohnani
Target Milestone: betaFlags: pm-rhel: mirror+
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-07-20 17:45:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1186913    
Attachments:
Description Flags
Outputs of the tests performed. none

Description Ashish Reddy 2021-06-08 06:44:03 UTC 
Created attachment 1789322 [details]
Outputs of the tests performed.

Description of problem:
Some user account will be available to run containers. But some should not run containers. Tried commenting the entries for users in /etc/subuid and /etc/subgid files. After doing this, podman is able to pull hello-world and run it as container and other images are unable to pull where ideally it should not pull any image. 

Version-Release number of selected component (if applicable):


How reproducible:
Easy

Steps to Reproduce:
1. Create a local user 
2. Comment entries for the user in /etc/subuid and /etc/subgid
3. Pull hello-world image and launch a container with it

Actual results:
podman should not be able to pull image and launch container

Expected results:
podman is able to pull image and launch container

Additional info:
Attached a file with the tests performed with different cases.
Comment 1 Daniel Walsh 2021-06-08 10:28:13 UTC 
This is a false assumption.  Container images are just tar balls sitting at a container registry.  Any application that can talk to a web server can pull them down.

When they are pulled down, podman uses tar to export them within a user namespace.  If the extra UIDs are not defined in /etc/subuid, then podman will setup a
single User Namespace mapping users UID to 0 within the user namespace and then will attempt to "Untar" the image.  If the Image has files owned by users other then
UID=0, then the tar will fail.

podman run fedora 

Should fail with an error about a missing UID.

Whereas 

podman run hello-world

Will succeed since the only content 

$ podman unshare
# mnt=$(podman image mount hello-world)
# ls -l $mnt
total 16
-rwxrwxr-x. 1 root root 13336 Mar  5 18:25 hello
Comment 4 Daniel Walsh 2021-07-20 17:45:36 UTC 
https://www.redhat.com/sysadmin/controlling-access-rootless-podman-users