With crun as a runtime, it's possible to let the user retain its group
permissions, while inside of the toolbox. This is possible if we use
the run.oci.keep_original_groups=1 extension.
However, not all runtimes implements such extension. E.g., crun does,
while runc does not.
Therefore, let's also add a command line switch for choosing the
runtime, in case one wants to take advantage of the extension (for
a particular toolbox), but the default runtime does not support it.
As a result, if this is the situation on the host:
$ id
uid=1000(dario) gid=100(users)
groups=100(users),483(video),487(kvm),490(dialout),492(audio),496(wheel),1000(dario)
$ ls -lrt
...
d---rwx--- 1 root users 10 mag 23 15:27 pippo
d---rwx--- 1 root video 22 mag 24 18:20 minnie
$ ls minnie/
daisy mickey
ls pippo/
pluto
And if we create a "runc toolbox":
$ toolbox enter --runtime /usr/bin/runc -c test-runc
Then, inside of it...
dario@test-runc:$ ls -l
...
d---rwx--- 1 65534 users 10 May 23 15:27 pippo
d---rwx--- 1 65534 65534 22 May 24 18:20 minnie
dario@test-runc:$ ls pippo/
pluto
dario@test-runc:$ ls minnie/
ls: cannot open directory 'minnie/': Permission denied
...the content of 'minnie' can't be listed, even if the user has
the proper group permissions on the host.
On the other hand, if we create a "crun toolbox" (provided
crun is installed, of course):
$ toolbox enter --runtime /usr/bin/crun -c test-crun
Then, inside of it...
dario@test-crun:$ ls -l
...
d---rwx--- 1 65534 users 10 May 23 15:27 pippo
d---rwx--- 1 65534 65534 22 May 24 18:20 minnie
dario@test-crun:$ ls pippo/
pluto
dario@test-crun:$ ls minnie/
daisy mickey
With crun as a runtime, it's possible to let the user retain its group permissions, while inside of the toolbox. This is possible if we use the run.oci.keep_original_groups=1 extension.
However, not all runtimes implements such extension. E.g., crun does, while runc does not.
Therefore, let's also add a command line switch for choosing the runtime, in case one wants to take advantage of the extension (for a particular toolbox), but the default runtime does not support it.
As a result, if this is the situation on the host: $ id uid=1000(dario) gid=100(users) groups=100(users),483(video),487(kvm),490(dialout),492(audio),496(wheel),1000(dario) $ ls -lrt ... d---rwx--- 1 root users 10 mag 23 15:27 pippo d---rwx--- 1 root video 22 mag 24 18:20 minnie $ ls minnie/ daisy mickey ls pippo/ pluto
And if we create a "runc toolbox": $ toolbox enter --runtime /usr/bin/runc -c test-runc
Then, inside of it...
dario@test-runc:$ ls -l ... d---rwx--- 1 65534 users 10 May 23 15:27 pippo d---rwx--- 1 65534 65534 22 May 24 18:20 minnie dario@test-runc:$ ls pippo/ pluto dario@test-runc:$ ls minnie/ ls: cannot open directory 'minnie/': Permission denied
...the content of 'minnie' can't be listed, even if the user has the proper group permissions on the host.
On the other hand, if we create a "crun toolbox" (provided crun is installed, of course): $ toolbox enter --runtime /usr/bin/crun -c test-crun
Then, inside of it... dario@test-crun:$ ls -l ... d---rwx--- 1 65534 users 10 May 23 15:27 pippo d---rwx--- 1 65534 65534 22 May 24 18:20 minnie dario@test-crun:$ ls pippo/ pluto dario@test-crun:$ ls minnie/ daisy mickey
...we can list minnie as well.
Signed-off-by: Dario Faggioli dfaggioli@suse.com