Blame SOURCES/0001-Only-drop-all-caps-in-exec-when-non-root.patch
|
 |
9fe42f |
From fbc96cdd1741021f3d18e49eac3757297aaba851 Mon Sep 17 00:00:00 2001
|
|
|
9fe42f |
From: Matthew Heon <mheon@redhat.com>
|
|
|
9fe42f |
Date: Fri, 19 Feb 2021 11:34:39 -0500
|
|
|
9fe42f |
Subject: [PATCH] Only drop all caps in exec when non-root
|
|
|
9fe42f |
|
|
|
9fe42f |
We were dropping too many capabilities otherwise, which broke
|
|
|
9fe42f |
some critical system tools (e.g. useradd) in exec sessions.
|
|
|
9fe42f |
|
|
|
9fe42f |
Fix RHBZ#1930552
|
|
|
9fe42f |
|
|
|
9fe42f |
Signed-off-by: Matthew Heon <mheon@redhat.com>
|
|
|
9fe42f |
---
|
|
|
9fe42f |
libpod/oci_conmon_linux.go | 2 +-
|
|
|
9fe42f |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
9fe42f |
|
|
|
9fe42f |
diff --git a/libpod/oci_conmon_linux.go b/libpod/oci_conmon_linux.go
|
|
|
9fe42f |
index d5973a1a6..18ede031e 100644
|
|
|
9fe42f |
--- a/libpod/oci_conmon_linux.go
|
|
|
9fe42f |
+++ b/libpod/oci_conmon_linux.go
|
|
|
9fe42f |
@@ -1107,7 +1107,7 @@ func prepareProcessExec(c *Container, cmd, env []string, tty bool, cwd, user, se
|
|
|
9fe42f |
pspec.Capabilities.Effective = []string{}
|
|
|
9fe42f |
if privileged {
|
|
|
9fe42f |
pspec.Capabilities.Bounding = allCaps
|
|
|
9fe42f |
- } else {
|
|
|
9fe42f |
+ } else if execUser.Uid != 0 {
|
|
|
9fe42f |
pspec.Capabilities.Bounding = []string{}
|
|
|
9fe42f |
}
|
|
|
9fe42f |
pspec.Capabilities.Inheritable = pspec.Capabilities.Bounding
|
|
|
9fe42f |
--
|
|
|
9fe42f |
2.29.2
|
|
|
9fe42f |
|