containers / podman.io_old

Repository for podman.io website using GitHub Pages.
https://podman.io
Other
258 stars 134 forks source link

running 'podman unshare' as an unprivileged user returns a shell as 'root' #514

Closed sondermc closed 2 years ago

sondermc commented 2 years ago

Hello community,

I'm for years now using this great tool but now I bumped into a horrible situation which I didn't notice before. I run Fedora 35 and installed podman from the fedora repositories. I was playing around with the mounting of volumes as an unprivileged user. Here is the snippet of my experience.

[foo@bar ~]$ id uid=1000(foo) gid=1000(foo) groups=1000(foo),10(wheel),107(qemu),977(wireshark),985(libvirt) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [foo@bar ~]$ cd workspace/fedora/podman/ [foo@bar podman]$ podman unshare [root@bar podman]# id uid=0(root) gid=0(root) groups=0(root),65534(nobody) context=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 [root@bar podman]# exit exit [foo@bar podman]$ podman --version podman version 3.4.4 [foo@bar podman]$ uname -a Linux bar 5.16.16-200.fc35.x86_64 #1 SMP PREEMPT Sat Mar 19 13:52:41 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

So I gained root (uid=0) privileges by running 'podman unshare'. I really don't know if there are other distro's out there reacting the same. I thought this one was too important, so I created a ticket right away. If you need more info, I'm more than willing to help.

Kind Regards, Chris

rhatdan commented 2 years ago

This is working as expected. You are not root, you are just root within the user namespace. If you look at the content of your homedir, while in unshare, you should notice all the files in your homedir are owned by root, if you exit the unshare then they will be owned by you again. This is just user namespace faking that you are root.

https://opensource.com/article/18/12/podman-and-user-namespaces

sondermc commented 2 years ago

aha. confirmed. I cannot do real 'root' tasks. That scared the s*$t out of me. Thanks!

TomSweeneyRedHat commented 2 years ago

@sondermc for future reference, we do appreciate the issue report, but if you have one in the future for Podman, please report the issue against the Podman GitHub repo instead. This repo is used for the podman.io blog site and has a lot fewer Podman maintainers monitoring this repo.