search

containers / podman

Podman: A tool for managing OCI containers and pods.
https://podman.io
Apache License 2.0
22.37k stars 2.31k forks source link

podman tries to make user-executable directory world-executable (rootless) #23028

Closed myllynen closed 1 week ago

myllynen commented 2 weeks ago

Issue Description

When a directory in the path configured in containers.conf is not world-executable podman fails to run containers:

admin@bastion:~> cat ~/.config/containers/storage.conf                                                                                                
[storage]
driver = "overlay"
runroot = "/app/admin/ee/runroot"
graphroot = "/app/admin/ee/graphroot"
rootless_storage_path = "/app/admin/ee/storage"
[storage.options]
pull_options = {enable_partial_images = "false", use_hard_links = "false", ostree_repos=""}
[storage.options.overlay]
mountopt = "nodev,metacopy=on"
admin@bastion:~> id
uid=4444(admin) gid=4444(admin) groups=4444(admin),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
admin@bastion:~> ls -alZ /app
total 0
drwxr-x---.  3 root  admin unconfined_u:object_r:default_t:s0            19 2024-06-07 12:53 .
dr-xr-xr-x. 19 root  root  system_u:object_r:root_t:s0                  246 2024-06-06 12:46 ..
drwxr-x--x.  3 admin admin unconfined_u:object_r:container_var_lib_t:s0  16 2024-06-07 13:28 admin
admin@bastion:~> strace -ff podman run -ti test-container uname 2>&1 | grep chmod | grep -i perm
[pid  3400] fchmodat(AT_FDCWD, "/app", 0751) = -1 EPERM (Operation not permitted)
[pid  3400] rt_sigreturn({mask=[]}Error: chmod /app: operation not permitted
admin@bastion:~> podman version
Client:       Podman Engine
Version:      4.9.4-rhel
API Version:  4.9.4-rhel
Go Version:   go1.21.7 (Red Hat 1.21.7-2.module+el8.10.0+21638+b01be198)
Built:        Mon Jun 10 14:56:14 2024
OS/Arch:      linux/amd64
admin@bastion:~>

The top-level directory is already user-readable/executable but podman still tries to make it world-executable.

If doing "chmod o+x /app" as root then the test would work as expected.

If this is indeed required then at least the error message should be clearer.

Steps to reproduce the issue

See above - any directory in the path, even if user-readable/executable, not world-executable will cause podman to fail.

Describe the results you received

Directories must be world-executable or podman fails.

Describe the results you expected

It is enough for directories to be owned and accessible by the user.

podman info output

If you are unable to run podman info for any reason, please provide the podman version, operating system and its version and the architecture you are running.

Podman in a container

No

Privileged Or Rootless

Rootless

Upstream Latest Release

No

Additional environment details

Additional environment details

Additional information

Additional information like issue happens only occasionally or issue happens with a particular architecture or on a particular setting

giuseppe commented 2 weeks ago

The top-level directory is already user-readable/executable but podman still tries to make it world-executable.

If doing "chmod o+x /app" as root then the test would work as expected.

that won't be enough when you run inside a user namespace (for rootless a nested namespace), since your UID:GID could not be mapped in the inner namespace.

giuseppe commented 2 weeks ago

and we probably don't need this code anymore, the OCI runtime takes advantage of the new Linux mount API to achieve it without requiring the chmod hack we needed before

giuseppe commented 2 weeks ago

opened a PR, let's see how far it goes in the CI: https://github.com/containers/podman/pull/23032