Description
/kind bug
Description
When a container is created with one user, and you run: podman exec -u <otheruser> groups you don't see supplemental groups from /etc/group.
Looking at the code with @mheon, it appears that the intention is that these supplemental groups are supposed to be added - see https://github.com/containers/podman/blob/master/libpod/oci_conmon_exec_linux.go#L719
I initially encountered this in the context of rootless with --userns=keep-id, but it seems to be the same running rootfull and without --userns.
Steps to reproduce the issue:
Run the following script
#!/bin/bash
container=$(podman create -u root fedora:33 sleep 1000)
cleanup() {
podman stop --time=1 "$container" > /dev/null
podman rm -f "$container" > /dev/null
}
trap cleanup EXIT
podman start "$container" > /dev/null
podman exec "$container" useradd testuser
podman exec "$container" usermod -G wheel testuser
echo -n "Running 'groups': "
podman exec -u testuser "$container" groups
echo -n "Running 'su -u testuser sh -c groups': "
podman exec -u root "$container" su - testuser sh -c groupsDescribe the results you received:
Running 'groups': testuser
Running 'su -u testuser sh -c groups': testuser wheel
Describe the results you expected:
The bare groups command should have shown the right supplemental groups.
Output of podman version:
Version: 3.0.1
API Version: 3.0.0
Go Version: go1.15.8
Built: Fri Feb 19 11:56:17 2021
OS/Arch: linux/amd64
Output of podman info --debug:
host:
arch: amd64
buildahVersion: 1.19.4
cgroupManager: cgroupfs
cgroupVersion: v2
conmon:
package: conmon-2.0.26-1.fc33.x86_64
path: /usr/bin/conmon
version: 'conmon version 2.0.26, commit: 777074ecdb5e883b9bec233f3630c5e7fa37d521'
cpus: 8
distribution:
distribution: fedora
version: "33"
eventLogger: journald
hostname: localhost.localdomain
idMappings:
gidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 100000
size: 1000000
uidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 100000
size: 1000000
kernel: 5.10.19-200.fc33.x86_64
linkmode: dynamic
memFree: 1262637056
memTotal: 33436405760
ociRuntime:
name: crun
package: crun-0.18-1.fc33.x86_64
path: /usr/bin/crun
version: |-
crun version 0.18
commit: 808420efe3dc2b44d6db9f1a3fac8361dde42a95
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
os: linux
remoteSocket:
path: /run/user/1000/podman/podman.sock
security:
apparmorEnabled: false
capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
rootless: true
seccompEnabled: true
selinuxEnabled: true
slirp4netns:
executable: /usr/bin/slirp4netns
package: slirp4netns-1.1.8-1.fc33.x86_64
version: |-
slirp4netns version 1.1.8
commit: d361001f495417b880f20329121e3aa431a8f90f
libslirp: 4.3.1
SLIRP_CONFIG_VERSION_MAX: 3
libseccomp: 2.5.0
swapFree: 21010198528
swapTotal: 21082660864
uptime: 156h 32m 55.35s (Approximately 6.50 days)
registries:
search:
- registry.fedoraproject.org
- registry.access.redhat.com
- registry.centos.org
- docker.io
store:
configFile: /var/home/otaylor/.config/containers/storage.conf
containerStore:
number: 10
paused: 0
running: 2
stopped: 8
graphDriverName: overlay
graphOptions:
overlay.mount_program:
Executable: /usr/bin/fuse-overlayfs
Package: fuse-overlayfs-1.4.0-1.fc33.x86_64
Version: |-
fusermount3 version: 3.9.3
fuse-overlayfs: version 1.4
FUSE library version 3.9.3
using FUSE kernel interface version 7.31
graphRoot: /var/home/otaylor/.local/share/containers/storage
graphStatus:
Backing Filesystem: btrfs
Native Overlay Diff: "false"
Supports d_type: "true"
Using metacopy: "false"
imageStore:
number: 393
runRoot: /run/user/1000/containers
volumePath: /var/home/otaylor/.local/share/containers/storage/volumes
version:
APIVersion: 3.0.0
Built: 1613753777
BuiltTime: Fri Feb 19 11:56:17 2021
GitCommit: ""
GoVersion: go1.15.8
OsArch: linux/amd64
Version: 3.0.1
Package info (e.g. output of rpm -q podman or apt list podman):
podman-3.0.1-1.fc33.x86_64
Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide?
No