Bug 1969285 - Controlling access of podman for users
Summary: Controlling access of podman for users
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: podman
Version: 8.2
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: beta
: ---
Assignee: Daniel Walsh
QA Contact: atomic-bugs@redhat.com
URL:
Whiteboard:
Depends On:
Blocks: 1186913
TreeView+ depends on / blocked
 
Reported: 2021-06-08 06:44 UTC by Ashish Reddy
Modified: 2021-07-20 17:45 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-07-20 17:45:36 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)
Outputs of the tests performed. (11.06 KB, text/plain)
2021-06-08 06:44 UTC, Ashish Reddy
no flags Details

Description Ashish Reddy 2021-06-08 06:44:03 UTC
Created attachment 1789322 [details]
Outputs of the tests performed.

Description of problem:
Some user account will be available to run containers. But some should not run containers. Tried commenting the entries for users in /etc/subuid and /etc/subgid files. After doing this, podman is able to pull hello-world and run it as container and other images are unable to pull where ideally it should not pull any image. 

Version-Release number of selected component (if applicable):


How reproducible:
Easy

Steps to Reproduce:
1. Create a local user 
2. Comment entries for the user in /etc/subuid and /etc/subgid
3. Pull hello-world image and launch a container with it

Actual results:
podman should not be able to pull image and launch container

Expected results:
podman is able to pull image and launch container

Additional info:
Attached a file with the tests performed with different cases.

Comment 1 Daniel Walsh 2021-06-08 10:28:13 UTC
This is a false assumption.  Container images are just tar balls sitting at a container registry.  Any application that can talk to a web server can pull them down.

When they are pulled down, podman uses tar to export them within a user namespace.  If the extra UIDs are not defined in /etc/subuid, then podman will setup a
single User Namespace mapping users UID to 0 within the user namespace and then will attempt to "Untar" the image.  If the Image has files owned by users other then
UID=0, then the tar will fail.

podman run fedora 

Should fail with an error about a missing UID.

Whereas 

podman run hello-world

Will succeed since the only content 

$ podman unshare
# mnt=$(podman image mount hello-world)
# ls -l $mnt
total 16
-rwxrwxr-x. 1 root root 13336 Mar  5 18:25 hello


Note You need to log in before you can comment on or make changes to this bug.