search

draios / sysdig

Linux system exploration and troubleshooting tool with first class support for containers
http://www.sysdig.com/
Other
7.73k stars 726 forks source link

track user names from inside container, not host #954

Open mstemm opened 6 years ago

mstemm commented 6 years ago

If you create a user inside a container, sysdig still uses the uids from the host in order to populate %user.name. A way to reproduce is:

$ sudo docker run -it ubuntu:latest bash
root@e0ae2d1b19c2: /root@e0ae2d1b19c2:/# useradd testme
useradd testme
root@e0ae2d1b19c2: /root@e0ae2d1b19c2:/# su - testme
su - testme
No directory, logging in with HOME=/
$ cat /etc/passwd | grep testme
testme:x:1000:1000::/home/testme:
$ cat

While doing this and running sysdig with sudo sysdig container.id!=host and evt.type=execve -p "*%evt.num %evt.outputtime %evt.cpu %proc.name (%thread.tid) %evt.dir %evt.type %evt.info user=%user.name uid=%user.uid", you end up with this output:

5760 08:42:01.554078825 0 bash (12218) > execve filename=/bin/cat  user=deploy uid=1000
5797 08:42:01.554326172 0 cat (12218) < execve res=0 exe=cat args= tid=12218(cat) pid=12218(cat) ptid=12160(bash) cwd= fdlimit=1024 pgft_maj=0 pgft_min=33 vm_size=372 vm_rss=4 vm_swap=0 comm=cat cgroups=cpuset=/docker/e0ae2d1b19c25120fca711f6f8399728ccca234d1897d6474ad4bf3b543378... env=SHELL=/bin/bash.TERM=xterm.USER=testme.MAIL=/var/mail/testme.PATH=/usr/local/... tty=34816  user=deploy uid=1000

Note that although the user inside the container is "testme", sysdig reports the user as deploy, because uid 1000 within the container is being interpreted from the view of the host.

To fix this, we should keep track of uids from the container using something like user.vuid/user.vname.

github-actions[bot] commented 1 year ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.