[pkg-go] Bug#977717: podman: Images can't be run with non-root USER after upgrade to 2.1.1 due to wrong permissions of / inside the container

Andreas Maus 023a305472eca90cd389e9dd4a9f30f71a6cf4e6 at ypbind.de
Sat Dec 19 14:05:39 GMT 2020 

Package: podman
Version: 2.1.1+dfsg1-2
Severity: important
X-Debbugs-Cc: 023a305472eca90cd389e9dd4a9f30f71a6cf4e6 at ypbind.de

Hello ^.*$

After the upgrade of podman to 2.1.1 container images
can't be run if the Dockerfile specify a non-root USER.

For instance:

maus at build:~$ podman --version
podman version 2.1.1

maus at build:~$ cat Dockerfile
FROM debian10:latest
USER maus
RUN id

maus at build:~$ podman pull docker://cthulhu.badphish.ypbind.de:5000/debian10:latest
Trying to pull docker://cthulhu.badphish.ypbind.de:5000/debian10:latest...
Getting image source signatures
Copying blob 3fa1b7b37d85 skipped: already exists
Copying blob c4d430d70570 skipped: already exists
Copying blob dd25a18fa133 skipped: already exists
Copying blob 8411b8221e04 skipped: already exists
Copying config 33eef1a794 done
Writing manifest to image destination
Storing signatures
33eef1a79457312c91e450012b1d24b775452ad43128a529ebf3930e30f71271

maus at build:~$ podman build -f Dockerfile
STEP 1: FROM debian10:latest
STEP 2: USER maus
--> Using cache cae2cdba5e97dbbc666e7f65b77e9f322a4a534d0b15faf60a2360b022afebc2
--> cae2cdba5e9
STEP 3: RUN id
ERRO[0000] container_linux.go:370: starting container process caused: exec: "/bin/sh": stat /bin/sh: permission denied
error running container: error creating container for [/bin/sh -c id]: : exit status 1
Error: error building at STEP "RUN id": error while running runtime: exit status 1

This is caused by the permissions of / after the image start:

maus at build:~$ podman run -t -i debian10:latest ls -ld /
drwx------ 22 root root 4096 Dec 19 14:30 /

This prevents access to every file or directory below / for non-root
users.

The previous version of podman - 2.0.6 - didn't show this behavior:

maus at debian11:~$ podman --version
podman version 2.0.6

maus at debian11:~$ podman pull docker://cthulhu.badphish.ypbind.de:5000/debian10:latest
Trying to pull docker://cthulhu.badphish.ypbind.de:5000/debian10:latest...
Getting image source signatures
Copying blob 8411b8221e04 skipped: already exists
Copying blob 3c5de6b97e3d skipped: already exists
Copying blob 3fa1b7b37d85 skipped: already exists
Copying blob c4d430d70570 skipped: already exists
Copying config 33eef1a794 done
Writing manifest to image destination
Storing signatures
33eef1a79457312c91e450012b1d24b775452ad43128a529ebf3930e30f71271

maus at debian11:~$ podman build -f Dockerfile
STEP 1: FROM debian10:latest
STEP 2: USER maus
--> Using cache 84e95d910544795f623c5ddc697244283945c271c14c352117dfff5d0cc4dc70
STEP 3: RUN id
uid=1000(maus) gid=1000(maus) groups=1000(maus),5(tty),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),114(nagios)
STEP 4: COMMIT

Because the containers starts with the correct permissions for /

maus at debian11:~$ podman run -t -i debian10:latest ls -ld /
drwxr-xr-x 22 root root 4096 Dec 19 14:38 /

The content of /etc/containers/containers.conf was not changed and it contains:

maus at build:~$ cat /etc/containers/containers.conf 
[containers]

[network]

[engine]
runtime = "crun"
runtime_supports_json = ["crun", "runc", "kata"]

[engine.runtimes]

There is no user specific configuration in $HOME/.config/containers/

I've looked at the changelog for 2.1 but didn't found any clue.

Sincerely yours,

Andreas Maus.

-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 5.9.0-4-amd64 (SMP w/2 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages podman depends on:
ii  conmon                           2.0.20-1
ii  containernetworking-plugins      0.8.7-1
ii  crun                             0.15.1+dfsg-1
ii  golang-github-containers-common  0.26.3+ds1-2
ii  init-system-helpers              1.59
ii  libc6                            2.31-5
ii  libdevmapper1.02.1               2:1.02.173-1
ii  libgpgme11                       1.14.0-1+b2
ii  libseccomp2                      2.5.0-3+b1
ii  runc                             1.0.0~rc92+dfsg1-5

Versions of packages podman recommends:
ii  buildah         1.16.6+dfsg1-1
ii  fuse-overlayfs  1.2.0-1
ii  slirp4netns     1.0.1-1
ii  tini            0.19.0-1
ii  uidmap          1:4.8.1-1

Versions of packages podman suggests:
pn  containers-storage  <none>

-- no debconf information

More information about the Pkg-go-maintainers mailing list