Hide Forgot
Created attachment 1789322 [details] Outputs of the tests performed. Description of problem: Some user account will be available to run containers. But some should not run containers. Tried commenting the entries for users in /etc/subuid and /etc/subgid files. After doing this, podman is able to pull hello-world and run it as container and other images are unable to pull where ideally it should not pull any image. Version-Release number of selected component (if applicable): How reproducible: Easy Steps to Reproduce: 1. Create a local user 2. Comment entries for the user in /etc/subuid and /etc/subgid 3. Pull hello-world image and launch a container with it Actual results: podman should not be able to pull image and launch container Expected results: podman is able to pull image and launch container Additional info: Attached a file with the tests performed with different cases.
This is a false assumption. Container images are just tar balls sitting at a container registry. Any application that can talk to a web server can pull them down. When they are pulled down, podman uses tar to export them within a user namespace. If the extra UIDs are not defined in /etc/subuid, then podman will setup a single User Namespace mapping users UID to 0 within the user namespace and then will attempt to "Untar" the image. If the Image has files owned by users other then UID=0, then the tar will fail. podman run fedora Should fail with an error about a missing UID. Whereas podman run hello-world Will succeed since the only content $ podman unshare # mnt=$(podman image mount hello-world) # ls -l $mnt total 16 -rwxrwxr-x. 1 root root 13336 Mar 5 18:25 hello
https://www.redhat.com/sysadmin/controlling-access-rootless-podman-users