core: Don't try to apply non-root uid/gid when run as non-root

In an unprivileged case, we can't do this on the real filesystem. For `ex container`, we want to completely ignore uid/gid. I added a test installing `httpd` which failed previously. TODO: For non-root `--ex-unified-core` we need to do it as a commit modifier.
cgwalters · Nov 16, 2017 · 6c9342a · 6c9342a
1 parent b6bd2ab
commit 6c9342a
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 0 deletions.
diff --git a/src/libpriv/rpmostree-core.c b/src/libpriv/rpmostree-core.c
@@ -2700,6 +2700,14 @@ apply_rpmfi_overrides (RpmOstreeContext *self,
                        GCancellable  *cancellable,
                        GError       **error)
 {
+  /* In an unprivileged case, we can't do this on the real filesystem. For `ex
+   * container`, we want to completely ignore uid/gid.
+   *
+   * TODO: For non-root `--ex-unified-core` we need to do it as a commit modifier.
+   */
+  if (getuid () != 0)
+    return TRUE;  /* 🔚 Early return */
+
   int i;
   g_auto(rpmfi) fi = NULL;
   gboolean emitted_nonusr_warning = FALSE;

diff --git a/tests/ex-container-tests/test-httpd.sh b/tests/ex-container-tests/test-httpd.sh
@@ -0,0 +1,19 @@
+#!/usr/bin/bash
+set -xeuo pipefail
+
+cd ${test_tmpdir}
+
+dn=$(cd $(dirname $0) && pwd)
+. ${dn}/../common/libtest-core.sh
+
+cat >httpd.conf <<EOF
+[tree]
+ref=httpd
+packages=httpd;
+repos=fedora;
+EOF
+
+# This one has non-root ownership in some of the dependencies, but we shouldn't
+# try to apply them; see apply_rpmfi_overrides().
+rpm-ostree ex container assemble httpd.conf
+ostree --repo=repo ls httpd /usr/sbin/httpd