reduce the chance of parsing /etc/passwd & /etc/group

lifubang · lifubang · commit 42d0004820f4 · 2023-09-29T00:42:21.000+08:00
Signed-off-by: lifubang &lt;lifubang@acmcoder.com&gt;
diff --git a/libcontainer/init_linux.go b/libcontainer/init_linux.go
@@ -440,35 +440,61 @@ func syncParentSeccomp(pipe *os.File, seccompFd *os.File) error {
 	return readSync(pipe, procSeccompDone)
 }
 
-// setupUser changes the groups, gid, and uid for the user inside the container
-func setupUser(config *initConfig) error {
+func getExecUser(userAndGroup string) (*user.ExecUser, error) {
 	// Set up defaults.
 	defaultExecUser := user.ExecUser{
 		Uid:  0,
 		Gid:  0,
 		Home: "/",
 	}
 
-	passwdPath, err := user.GetPasswdPath()
-	if err != nil {
-		return err
-	}
+	u := strings.SplitN(userAndGroup, ":", 2)
 
-	groupPath, err := user.GetGroupPath()
-	if err != nil {
-		return err
+	// len(u) == 1 means there is no group id, we should try to get the supplementary group IDs.
+	if len(u) == 1 || u[0] == "" || os.Getenv("HOME") == "" {
+		passwdPath, err := user.GetPasswdPath()
+		if err != nil {
+			return nil, err
+		}
+
+		groupPath, err := user.GetGroupPath()
+		if err != nil {
+			return nil, err
+		}
+
+		return user.GetExecUserPath(userAndGroup, &defaultExecUser, passwdPath, groupPath)
+	} else {
+		uid, err := strconv.Atoi(u[0])
+		if err != nil {
+			return nil, err
+		}
+		gid, err := strconv.Atoi(u[1])
+		if err != nil {
+			return nil, err
+		}
+		return &user.ExecUser{
+			Uid:  uid,
+			Gid:  gid,
+			Home: os.Getenv("HOME"),
+		}, nil
 	}
+}
 
-	execUser, err := user.GetExecUserPath(config.User, &defaultExecUser, passwdPath, groupPath)
+// setupUser changes the groups, gid, and uid for the user inside the container
+func setupUser(config *initConfig) error {
+	execUser, err := getExecUser(config.User)
 	if err != nil {
 		return err
 	}
 
 	var addGroups []int
 	if len(config.AdditionalGroups) > 0 {
-		addGroups, err = user.GetAdditionalGroupsPath(config.AdditionalGroups, groupPath)
-		if err != nil {
-			return err
+		for _, group := range config.AdditionalGroups {
+			gid, err := strconv.Atoi(group)
+			if err != nil {
+				return err
+			}
+			addGroups = append(addGroups, gid)
 		}
 	}
 
diff --git a/libcontainer/integration/exec_test.go b/libcontainer/integration/exec_test.go
@@ -395,7 +395,7 @@ func TestAdditionalGroups(t *testing.T) {
 		Env:              standardEnvironment,
 		Stdin:            nil,
 		Stdout:           &stdout,
-		AdditionalGroups: []string{"plugdev", "audio"},
+		AdditionalGroups: []string{"1", "2"},
 		Init:             true,
 	}
 	err = container.Run(&pconfig)
@@ -407,12 +407,12 @@ func TestAdditionalGroups(t *testing.T) {
 	outputGroups := stdout.String()
 
 	// Check that the groups output has the groups that we specified
-	if !strings.Contains(outputGroups, "audio") {
-		t.Fatalf("Listed groups do not contain the audio group as expected: %v", outputGroups)
+	if !strings.Contains(outputGroups, "1") {
+		t.Fatalf("Listed groups do not contain the group as expected: %v", outputGroups)
 	}
 
-	if !strings.Contains(outputGroups, "plugdev") {
-		t.Fatalf("Listed groups do not contain the plugdev group as expected: %v", outputGroups)
+	if !strings.Contains(outputGroups, "2") {
+		t.Fatalf("Listed groups do not contain the group as expected: %v", outputGroups)
 	}
 }
 
diff --git a/libcontainer/integration/execin_test.go b/libcontainer/integration/execin_test.go
@@ -162,7 +162,7 @@ func TestExecInAdditionalGroups(t *testing.T) {
 		Env:              standardEnvironment,
 		Stdin:            nil,
 		Stdout:           &stdout,
-		AdditionalGroups: []string{"plugdev", "audio"},
+		AdditionalGroups: []string{"1", "2"},
 	}
 	err = container.Run(&pconfig)
 	ok(t, err)
@@ -176,12 +176,12 @@ func TestExecInAdditionalGroups(t *testing.T) {
 	outputGroups := stdout.String()
 
 	// Check that the groups output has the groups that we specified
-	if !strings.Contains(outputGroups, "audio") {
-		t.Fatalf("Listed groups do not contain the audio group as expected: %v", outputGroups)
+	if !strings.Contains(outputGroups, "1") {
+		t.Fatalf("Listed groups do not contain the group as expected: %v", outputGroups)
 	}
 
-	if !strings.Contains(outputGroups, "plugdev") {
-		t.Fatalf("Listed groups do not contain the plugdev group as expected: %v", outputGroups)
+	if !strings.Contains(outputGroups, "2") {
+		t.Fatalf("Listed groups do not contain the group as expected: %v", outputGroups)
 	}
 }
 

Original file line number	Diff line number	Diff line change
`@@ -395,7 +395,7 @@ func TestAdditionalGroups(t *testing.T) {`
`395`	`395`	`Env: standardEnvironment,`
`396`	`396`	`Stdin: nil,`
`397`	`397`	`Stdout: &stdout,`
`398`		`- AdditionalGroups: []string{"plugdev", "audio"},`
	`398`	`+ AdditionalGroups: []string{"1", "2"},`
`399`	`399`	`Init: true,`
`400`	`400`	`}`
`401`	`401`	`err = container.Run(&pconfig)`
`@@ -407,12 +407,12 @@ func TestAdditionalGroups(t *testing.T) {`
`407`	`407`	`outputGroups := stdout.String()`
`408`	`408`
`409`	`409`	`// Check that the groups output has the groups that we specified`
`410`		`- if !strings.Contains(outputGroups, "audio") {`
`411`		`- t.Fatalf("Listed groups do not contain the audio group as expected: %v", outputGroups)`
	`410`	`+ if !strings.Contains(outputGroups, "1") {`
	`411`	`+ t.Fatalf("Listed groups do not contain the group as expected: %v", outputGroups)`
`412`	`412`	`}`
`413`	`413`
`414`		`- if !strings.Contains(outputGroups, "plugdev") {`
`415`		`- t.Fatalf("Listed groups do not contain the plugdev group as expected: %v", outputGroups)`
	`414`	`+ if !strings.Contains(outputGroups, "2") {`
	`415`	`+ t.Fatalf("Listed groups do not contain the group as expected: %v", outputGroups)`
`416`	`416`	`}`
`417`	`417`	`}`
`418`	`418`
Original file line number	Diff line number	Diff line change
`@@ -162,7 +162,7 @@ func TestExecInAdditionalGroups(t *testing.T) {`
`162`	`162`	`Env: standardEnvironment,`
`163`	`163`	`Stdin: nil,`
`164`	`164`	`Stdout: &stdout,`
`165`		`- AdditionalGroups: []string{"plugdev", "audio"},`
	`165`	`+ AdditionalGroups: []string{"1", "2"},`
`166`	`166`	`}`
`167`	`167`	`err = container.Run(&pconfig)`
`168`	`168`	`ok(t, err)`
`@@ -176,12 +176,12 @@ func TestExecInAdditionalGroups(t *testing.T) {`
`176`	`176`	`outputGroups := stdout.String()`
`177`	`177`
`178`	`178`	`// Check that the groups output has the groups that we specified`
`179`		`- if !strings.Contains(outputGroups, "audio") {`
`180`		`- t.Fatalf("Listed groups do not contain the audio group as expected: %v", outputGroups)`
	`179`	`+ if !strings.Contains(outputGroups, "1") {`
	`180`	`+ t.Fatalf("Listed groups do not contain the group as expected: %v", outputGroups)`
`181`	`181`	`}`
`182`	`182`
`183`		`- if !strings.Contains(outputGroups, "plugdev") {`
`184`		`- t.Fatalf("Listed groups do not contain the plugdev group as expected: %v", outputGroups)`
	`183`	`+ if !strings.Contains(outputGroups, "2") {`
	`184`	`+ t.Fatalf("Listed groups do not contain the group as expected: %v", outputGroups)`
`185`	`185`	`}`
`186`	`186`	`}`
`187`	`187`