Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

UIDs and GID are handled in base 8 (incorrectly) #19800

Closed
antifuchs opened this issue Aug 29, 2023 · 2 comments · Fixed by #19816
Closed

UIDs and GID are handled in base 8 (incorrectly) #19800

antifuchs opened this issue Aug 29, 2023 · 2 comments · Fixed by #19816
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.

Comments

@antifuchs
Copy link

Issue Description

When using --hostuser=testuser with a testuser account that has a UID above 7, podman either: a) translates the UID wrong or b) fails to parse the UID, because it attempts to parse the UID in octal.

That's incorrect on at least the linux systems that I'm using: There, /etc/passwd ID entries are all in decimal.

Steps to reproduce the issue

To reproduce the "does not start" aspect of the issue:

  1. Find or create a user that has a UID containing digits invalid in base 8 (I have created a testuser with UID 987).
  2. run podman run --rm -u testuser --passwd --hostuser=testuser ubuntu:latest grep testuser /etc/passwd
  3. Observe that podman complains Error: strconv.ParseUint: parsing "987": invalid syntax

To reproduce the "starts but is completely incorrect" aspect:

  1. Find or create a user that has a UID that's valid base-8 but is >7 (I have created my own user with UID 1000).
  2. run podman run --rm -u $(whoami) --passwd --hostuser=$(whoami) ubuntu:latest grep $(whoami) /etc/passwd - prints UIDs & GIDs 1000, which is correct (I guess that they are written in base-8 also?)
  3. run podman run --rm -u $(whoami) --passwd --hostuser=$(whoami) ubuntu:latest id
  4. Observe that this prints uid=512 gid=512 groups=512

Describe the results you received

(see the repro steps for an explanation of the results)

Describe the results you expected

I would expect all host UIDs and GIDs to work, regardless of whether they are valid in octal, and that the concrete UID and GID in the container is the same as on the host (so, a UID of 1000 in the host should be 1000 in the container).

podman info output

freeLocks: 2046
  hostname: gloria
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 6.1.45
  linkmode: dynamic
  logDriver: journald
  memFree: 157977083904
  memTotal: 404340367360
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: Unknown
      path: /nix/store/jh447x1vs6wgmh9x2dy4fkbc55r13cm6-podman-4.6.0-patched-for-19169/libexec/podman/aardvark-dns
      version: aardvark-dns 1.6.0
    package: Unknown
    path: /nix/store/jh447x1vs6wgmh9x2dy4fkbc55r13cm6-podman-4.6.0-patched-for-19169/libexec/podman/netavark
    version: netavark 1.6.0
  ociRuntime:
    name: crun
    package: Unknown
    path: /nix/store/xal8jc595rdckj94s5v3rn5i93dggh66-crun-1.8.4/bin/crun
    version: |-
      crun version 1.8.4
      commit: 1.8.4
      rundir: /run/user/1000/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  pasta:
    executable: ""
    package: ""
    version: ""
  remoteSocket:
    exists: true
    path: /run/user/1000/podman/podman.sock

plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - docker.io
  - quay.io
store:
  configFile: /home/asf/.config/containers/storage.conf
  containerStore:
    number: 2
    paused: 0
    running: 0
    stopped: 2
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/asf/.local/share/containers/storage
  graphRootAllocated: 214669852672
  graphRootUsed: 10315104256
  graphStatus:
    Backing Filesystem: zfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 51
  runRoot: /run/user/1000/containers
  transientStore: false
  volumePath: /home/asf/.local/share/containers/storage/volumes
version:
  APIVersion: 4.6.0
  Built: 315532800
  BuiltTime: Mon Dec 31 19:00:00 1979
  GitCommit: ""
  GoVersion: go1.20.7
  Os: linux
  OsArch: linux/amd64
  Version: 4.6.0

Podman in a container

No

Privileged Or Rootless

Rootless

Upstream Latest Release

No

Additional environment details

I'm running in nixos, but believe this applies to all systems.

Additional information

This issue only happens with --hostuser for me so far, but it's consistent there. I do have to use --hostuser because the user I need to translate over comes with dynamic-enough UID/GIDs that it must be referred to by name /:
@antifuchs antifuchs added the kind/bug Categorizes issue or PR as related to a bug. label Aug 29, 2023
@antifuchs antifuchs mentioned this issue Aug 29, 2023
Merged
@giuseppe
Copy link
Member

giuseppe commented Aug 31, 2023
edited
Loading

I think the following patch solves the issue:

diff --git a/libpod/container_internal_common.go b/libpod/container_internal_common.go
index f7a51f5a3..a8747f849 100644
--- a/libpod/container_internal_common.go
+++ b/libpod/container_internal_common.go
@@ -821,12 +821,12 @@ func lookupHostUser(name string) (*runcuser.ExecUser, error) {
        if err != nil {
                return &execUser, err
        }
-       uid, err := strconv.ParseUint(u.Uid, 8, 32)
+       uid, err := strconv.ParseUint(u.Uid, 10, 32)
        if err != nil {
                return &execUser, err
        }
 
-       gid, err := strconv.ParseUint(u.Gid, 8, 32)
+       gid, err := strconv.ParseUint(u.Gid, 10, 32)
        if err != nil {
                return &execUser, err
        }

I'll play with it and open a PR

@giuseppe giuseppe mentioned this issue Aug 31, 2023
Merged
@giuseppe
Copy link
Member

PR here: #19816

giuseppe added a commit to giuseppe/libpod that referenced this issue Aug 31, 2023
@giuseppe
libpod: do not parse --hostuser in base 8
702709a 
fix the parsing of --hostuser to treat the input in base 10.

Closes: containers#19800

Signed-off-by: Giuseppe Scrivano <[email protected]>
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Dec 1, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 1, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

libpod: do not parse --hostuser in base 8 giuseppe/libpod
2 participants
@antifuchs @giuseppe