reduce the chance of parsing /etc/passwd & /etc/group

Signed-off-by: lifubang <[email protected]>

Author: lifubang

libcontainer/init_linux.go

@@ -440,35 +440,59 @@ func syncParentSeccomp(pipe *os.File, seccompFd *os.File) error {
 	return readSync(pipe, procSeccompDone)
 }
 
-// setupUser changes the groups, gid, and uid for the user inside the container
-func setupUser(config *initConfig) error {
+func getExecUser(userAndGroup string) (*user.ExecUser, error) {
 	// Set up defaults.
 	defaultExecUser := user.ExecUser{
 		Uid:  0,
 		Gid:  0,
 		Home: "/",
 	}
 
-	passwdPath, err := user.GetPasswdPath()
+	u, g, ok := strings.Cut(userAndGroup, ":")
+
+	if !ok || os.Getenv("HOME") == "" {
+		passwdPath, err := user.GetPasswdPath()
+		if err != nil {
+			return nil, err
+		}
+
+		groupPath, err := user.GetGroupPath()
+		if err != nil {
+			return nil, err
+		}
+
+		return user.GetExecUserPath(userAndGroup, &defaultExecUser, passwdPath, groupPath)
+	}
+	uid, err := strconv.Atoi(u)
 	if err != nil {
-		return err
+		return nil, err
 	}
-
-	groupPath, err := user.GetGroupPath()
+	gid, err := strconv.Atoi(g)
 	if err != nil {
-		return err
+		return nil, err
 	}
+	return &user.ExecUser{
+		Uid:  uid,
+		Gid:  gid,
+		Home: os.Getenv("HOME"),
+	}, nil
+}
 
-	execUser, err := user.GetExecUserPath(config.User, &defaultExecUser, passwdPath, groupPath)
+// setupUser changes the groups, gid, and uid for the user inside the container.
+func setupUser(config *initConfig) error {
+	execUser, err := getExecUser(config.User)
 	if err != nil {
 		return err
 	}
 
 	var addGroups []int
 	if len(config.AdditionalGroups) > 0 {
-		addGroups, err = user.GetAdditionalGroupsPath(config.AdditionalGroups, groupPath)
-		if err != nil {
-			return err
+		for _, group := range config.AdditionalGroups {
+			gid, err := strconv.Atoi(group)
+			if err != nil {
+				return err
+			}
+			addGroups = append(addGroups, gid)
 		}
 	}
 

libcontainer/integration/exec_test.go

@@ -395,7 +395,7 @@ func TestAdditionalGroups(t *testing.T) {
 		Env:              standardEnvironment,
 		Stdin:            nil,
 		Stdout:           &stdout,
-		AdditionalGroups: []string{"plugdev", "audio"},
+		AdditionalGroups: []string{"1", "2"},
 		Init:             true,
 	}
 	err = container.Run(&pconfig)
@@ -407,12 +407,12 @@ func TestAdditionalGroups(t *testing.T) {
 	outputGroups := stdout.String()
 
 	// Check that the groups output has the groups that we specified
-	if !strings.Contains(outputGroups, "audio") {
-		t.Fatalf("Listed groups do not contain the audio group as expected: %v", outputGroups)
+	if !strings.Contains(outputGroups, "1") {
+		t.Fatalf("Listed groups do not contain the group as expected: %v", outputGroups)
 	}
 
-	if !strings.Contains(outputGroups, "plugdev") {
-		t.Fatalf("Listed groups do not contain the plugdev group as expected: %v", outputGroups)
+	if !strings.Contains(outputGroups, "2") {
+		t.Fatalf("Listed groups do not contain the group as expected: %v", outputGroups)
 	}
 }
 

libcontainer/integration/execin_test.go

@@ -162,7 +162,7 @@ func TestExecInAdditionalGroups(t *testing.T) {
 		Env:              standardEnvironment,
 		Stdin:            nil,
 		Stdout:           &stdout,
-		AdditionalGroups: []string{"plugdev", "audio"},
+		AdditionalGroups: []string{"1", "2"},
 	}
 	err = container.Run(&pconfig)
 	ok(t, err)
@@ -176,12 +176,12 @@ func TestExecInAdditionalGroups(t *testing.T) {
 	outputGroups := stdout.String()
 
 	// Check that the groups output has the groups that we specified
-	if !strings.Contains(outputGroups, "audio") {
-		t.Fatalf("Listed groups do not contain the audio group as expected: %v", outputGroups)
+	if !strings.Contains(outputGroups, "1") {
+		t.Fatalf("Listed groups do not contain the group as expected: %v", outputGroups)
 	}
 
-	if !strings.Contains(outputGroups, "plugdev") {
-		t.Fatalf("Listed groups do not contain the plugdev group as expected: %v", outputGroups)
+	if !strings.Contains(outputGroups, "2") {
+		t.Fatalf("Listed groups do not contain the group as expected: %v", outputGroups)
 	}
 }