We need to read /etc/passwd and /etc/group in the container to
get an idea of how many UIDs and GIDs we need to allocate for a
user namespace when `--userns=auto` is specified. We were forming
paths for these using filepath.Join, which is not safe for paths
within a container, resulting in this CVE allowing crafted
symlinks in the container to access paths on the host instead.
Addresses CVE-2024-9676
Signed-off-by: Matt Heon <mheon@redhat.com>
the alpine image defines a "nogroup":
$ podman run --rm alpine grep nogroup /etc/group
nogroup❌65533:
ignore it as we are already doing for the "nobody" user.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
fix the detection for the maximum userns size from an image.
If the maximum ID used in an image is X, we need to use a user
namespace with size X+1 to include UID=X.
Closes: https://github.com/containers/storage/issues/2104
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
This implements the algorithm proposed in
https://github.com/containers/storage/issues/852#issuecomment-798954173,
which is:
1. find available IDs from subuid/subgid file; by subtracting the used
IDs (from other containers) as well as additional IDs, we get the IDs
available to allocate;
2. target ID range is [0, requestedSize), subtract the additional IDs;
3. allocate IDs from range in step 1; the number to allocate is the
number of IDs in step 2;
4. generate a mapping from IDs in step 3 to the ones in step 2.
Closes: https://github.com/containers/storage/issues/852
Signed-off-by: Kan Li <likan@google.com>
The logic of range subtraction [a,b)-[c,d) can be viewed as intersection
of [a,b) with (-inf, c) and [d, +inf), respectively. This makes the
logic simpler, that we no longer need to check 5 different cases.
It also fixes bugs that returns incorrect range.
Closes#763
Signed-off-by: Kan Li <likan@google.com>
when an explicit idmapping is specified, the host id must be taken
from the available range of IDs.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
automatically pick an empty range and create an user namespace for the
container.
For root containers, it is necessary to specify an entry in
the /etc/subuid and /etc/subgid files to use for picking the range of
available IDs. This is necessary to avoid collisions with IDs used
for rootless containers. This setting is ignored for rootless
containers, since it is not possible to use arbitrary IDs, and the
initial set is always picked by the IDs assigned to the rootless
user.
When using auto userns, a container will use a range of IDs that is
not used by any other container user namespace, also those that are
not using auto userns, this is checked at creation time.
A successive container that doesn't use auto userns feature can still
collide with IDs used by an auto userns container.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Matt Heon
Giuseppe Scrivano
Kan Li
Kan Li