rootless: exec join the user+mount namespace

it is not enough to join the user namespace where the container is running. We also need to join the mount namespace so that we can correctly look-up inside of the container rootfs. This is necessary to lookup the mounted /etc/passwd file when --user is specified. Closes: #2566 Signed-off-by: Giuseppe Scrivano <[email protected]>
containers · Mar 7, 2019 · 4a02713 · 4a02713
1 parent bf21ec8
commit 4a02713
Showing 1 changed file with 19 additions and 10 deletions.
diff --git a/cmd/podman/exec.go b/cmd/podman/exec.go
@@ -108,16 +108,25 @@ func execCmd(c *cliconfig.ExecValues) error {
 
 	}
 
-	pid, err := ctr.PID()
-	if err != nil {
-		return err
-	}
-	became, ret, err := rootless.JoinNS(uint(pid), c.PreserveFDs)
-	if err != nil {
-		return err
-	}
-	if became {
-		os.Exit(ret)
+	if os.Geteuid() != 0 {
+		var became bool
+		var ret int
+
+		data, err := ioutil.ReadFile(ctr.Config().ConmonPidFile)
+		if err != nil {
+			return errors.Wrapf(err, "cannot read conmon PID file %q", ctr.Config().ConmonPidFile)
+		}
+		conmonPid, err := strconv.Atoi(string(data))
+		if err != nil {
+			return errors.Wrapf(err, "cannot parse PID %q", data)
+		}
+		became, ret, err = rootless.JoinDirectUserAndMountNS(uint(conmonPid))
+		if err != nil {
+			return err
+		}
+		if became {
+			os.Exit(ret)
+		}
 	}
 
 	// ENVIRONMENT VARIABLES