integrate github.com/opencontainers/runc/libcontainer/user (alternative) #134

… implements proper parsing of /etc/passwd and /etc/group, and use that to add support for "docker run -u user:group" and for getting supplementary groups (if ":group" is not specified) Docker-DCO-1.1-Signed-off-by: Andrew Page <admwiggin@gmail.com> (github: tianon)

Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)

Fixes #5647 Docker-DCO-1.1-Signed-off-by: Alexandr Morozov <lk4d4math@gmail.com> (github: LK4D4)

…plementary to return "Home" too Docker-DCO-1.1-Signed-off-by: Andrew Page <admwiggin@gmail.com> (github: tianon)

This patch refactors most of GetUserGroupSupplementaryHome and its signature, to make using it much simpler. The private parsing ftunctions have also been exposed (parsePasswdFile, parseGroupFile) to allow custom data source to be used (increasing the versatility of the user/ tools). In addition, file path wrappers around the formerly private API functions have been added to make usage of the API for callers easier if the files that are being parsed are on the filesystem (while the io.Reader APIs are exposed for non-traditional usecases). Signed-off-by: Aleksa Sarai <cyphar@cyphar.com> (github: cyphar)

This patch adds an os/user-like user lookup API, implemented in pure Go. It also has some features not present in the standard library implementation (such as group lookups). Signed-off-by: Aleksa Sarai <cyphar@cyphar.com> (github: cyphar)

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com> (github: cyphar)

Signed-off-by: Andrey Vagin <avagin@openvz.org>

Signed-off-by: Mrunal Patel <mrunalp@gmail.com>

This parses group file only once to process a list of groups instead of parsing once for each group. Also added an unit test for GetAdditionalGroupsPath Signed-off-by: Daniel, Dao Quang Minh <dqminh89@gmail.com>

The old GetAdditionalGroups* API didn't match the rest of libcontainer/user, we make functions that take io.Readers and then make wrappers around them. Otherwise we have to do dodgy stuff when testing our code. Fixes: b6df94ee65436 ("refactor GetAdditionalGroupsPath") Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

Update the tests to use the test-friendly GetAdditionalGroups API, rather than making random files for no good reason. Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

/etc/groups is not needed when specifying numeric group ids. This change allows containers without /etc/groups to specify numeric supplemental groups. Signed-off-by: Sami Wagiaalla <swagiaal@redhat.com>

Export errors as variables when no matching entries are found in passwd or group file. Signed-off-by: Thomas LE ROUX <thomas@november-eleven.fr>

Most shadow-related tools don't treat numeric ids as potential usernames, so change our behaviour to match that. Previously, using an explicit specification like 111:222 could result in the UID and GID not being 111 and 222 respectively (which is confusing). Signed-off-by: Aleksa Sarai <asarai@suse.de>

Signed-off-by: Aleksa Sarai <asarai@suse.de>

Some of the code was quite confusing inside libcontainer/user, so refactor and comment it so future maintainers can understand what's going and what edge cases we have to deal with. Signed-off-by: Aleksa Sarai <asarai@suse.de>

Fixes: #941 Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>

Signed-off-by: Lei Jitang <leijitang@huawei.com>

The parameters passed to `GetExecUser` is not correct. Consider the following code: ``` package main import ( "fmt" "io" "os" ) func main() { passwd, err := os.Open("/etc/passwd1") if err != nil { passwd = nil } else { defer passwd.Close() } err = GetUserPasswd(passwd) if err != nil { fmt.Printf("%#v\n", err) } } func GetUserPasswd(r io.Reader) error { if r == nil { return fmt.Errorf("nil source for passwd-formatted data") } else { fmt.Printf("r = %#v\n", r) } return nil } ``` If the file `/etc/passwd1` is not exist, we expect to return `nil source for passwd-formatted data` error, and in fact, the func `GetUserPasswd` return nil. The same logic exists in runc code. this patch fix it. Signed-off-by: Wang Long <long.wanglong@huawei.com>

Since syscall is outdated and broken for some architectures, use x/sys/unix instead. There are still some dependencies on the syscall package that will remain in syscall for the forseeable future: Errno Signal SysProcAttr Additionally: - os still uses syscall, so it needs to be kept for anything returning *os.ProcessState, such as process.Wait. Signed-off-by: Christy Perez <christy@linux.vnet.ibm.com>

Signed-off-by: Valentin Rothberg <vrothberg@suse.com>

Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>

This reverts commit be16efd31c1748d9203905dffe449c655791c6a9, reversing changes made to 51b501dab1889ca609db9c536ac976f0f53e7021. Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>

runc currently only support Linux platform, and since we dont intend to expose the support to other platform, removing all other platforms placeholder code. `libcontainer/configs` still being used in https://github.com/moby/moby/blob/master/daemon/daemon_windows.go so keeping it for now. After this, we probably should also rename files to drop linux suffices if possible. Signed-off-by: Daniel Dao <dqminh89@gmail.com>

This rearranges a bit of the user and group lookup, such that only a basic subset is exposed. Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>

Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>

This fixes the following compilation error on 32bit ARM: ``` $ GOARCH=arm GOARCH=6 go build ./libcontainer/system/ libcontainer/system/linux.go:119:89: constant 4294967295 overflows int ``` Signed-off-by: Tibor Vass <tibor@docker.com>

subgid is defined per user, not group (see subgid(5)) This commit also adds support for specifying subuid owner with a numeric UID. Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>

The Err() method should be called after the Scan() loop, not inside it. Found by git grep -A3 -F '.Scan()' | grep Err Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

Signed-off-by: tjucoder <chinesecoder@foxmail.com>

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

Signed-off-by: Amim Knabben <amim.knabben@gmail.com>

Signed-off-by: Shengjing Zhu <zhsj@debian.org>

Signed-off-by: AdamKorcz <adam@adalogics.com>

Commit f1e605bf added these two functions, but they are only used from Windows code. The v1 of this patch moved these functions to _windows.go file, but after some discussion we decided to drop windows code altogether, so this is what this patch now does. This fixes > libcontainer/user/user.go:64:6: func `groupFromOS` is unused (unused) > libcontainer/user/user.go:35:6: func `userFromOS` is unused (unused) Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

Move the unix-specific code to a file that's not compiled on Windows. Some of the errors (ErrUnsupported, ErrNoPasswdEntries, ErrNoGroupEntries) are used in other parts of the code, so are moved to a non-platform specific file. Most of "user" is probably not useful on Windows, although it's possible that Windows code may have to parse a passwd file, so leaving that code for now. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

gofumpt (mvdan.cc/gofumpt) is a fork of gofmt with stricter rules. Brought to you by git ls-files \*.go | grep -v ^vendor/ | xargs gofumpt -s -w Looking at the diff, all these changes make sense. Also, replace gofmt with gofumpt in golangci.yml. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

Using fmt.Errorf for errors that do not have %-style formatting directives is an overkill. Switch to errors.New. Found by git grep fmt.Errorf | grep -v ^vendor | grep -v '%' Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

This should result in no change when the error is printed, but make the errors returned unwrappable, meaning errors.As and errors.Is will work. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

Every []byte to string conversion results in a new allocation. Avoid some by using []byte more. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

Same as in other places (other parsers here, as well as golang os/user parser and glibc parser all tolerate extra space at BOL and EOL). Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

Lines in /etc/group longer than 64 characters breaks the current implementation of group parser. This is caused by bufio.Scanner buffer limit. Fix by re-using the fix for a similar problem in golang os/user, namely https://go-review.googlesource.com/c/go/+/283601. Add some tests. Co-authored-by: Andrey Bokhanko <andreybokhanko@gmail.com> Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

Go 1.17 introduce this new (and better) way to specify build tags. For more info, see https://golang.org/design/draft-gobuild. As a way to seamlessly switch from old to new build tags, gofmt (and gopls) from go 1.17 adds the new tags along with the old ones. Later, when go < 1.17 is no longer supported, the old build tags can be removed. Now, as I started to use latest gopls (v0.7.1), it adds these tags while I edit. Rather than to randomly add new build tags, I guess it is better to do it once for all files. Mind that previous commits removed some tags that were useless, so this one only touches packages that can at least be built on non-linux. Brought to you by go1.17 fmt ./... Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

Since Go 1.19, godoc recognizes lists, code blocks, headings etc. It also reformats the sources making it more apparent that these features are used. Fix a few places where it misinterpreted the formatting (such as indented vs unindented), and format the result using the gofumpt from HEAD, which already incorporates gofmt 1.19 changes. Some more fixes (and enhancements) might be required. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

The exception was fixed by polyfloyd/go-errorlint#12 which eventually made its way into golangci-lint. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

This integrate the github.com/opencontainers/runc/libcontainer/user package at commit [opencontainers/runc@a3a0ec4]. This package was originally authored in a "utils" package in the Docker repository, after which moved to "libcontainer", which became part of runc. Some commits were not included in history, due to them being applied in the Docker repository before moving into "libcontainer". Leaving links to those for future reference: - [moby/moby@eb38750] - [moby/moby@e41507b] - [moby/moby@b07314e] [opencontainers/runc@a3a0ec4]: opencontainers/runc@a3a0ec4 [moby/moby@eb38750]: moby/moby@eb38750 [moby/moby@e41507b]: moby/moby@e41507b [moby/moby@b07314e]: moby/moby@b07314e Co-authored-by: Tianon Gravi <admwiggin@gmail.com> Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

integrate github.com/opencontainers/runc/libcontainer/user (alternative) #134

integrate github.com/opencontainers/runc/libcontainer/user (alternative) #134

Commits on Feb 1, 2014

Commits on May 18, 2014

Commits on Sep 16, 2023

Commits on Sep 17, 2023