Merge pull request #5880 from LK4D4/fix_uid_overflow_#5647
Check uid ranges
This commit is contained in:
commit
66e7cf24b7
3 changed files with 62 additions and 0 deletions
|
@ -439,6 +439,8 @@ but the operator can override it:
|
|||
|
||||
-u="": Username or UID
|
||||
|
||||
> **Note:** if you pass numeric uid, it must be in range 0-2147483647.
|
||||
|
||||
## WORKDIR
|
||||
|
||||
The default working directory for running binaries within a container is the
|
||||
|
|
|
@ -544,6 +544,51 @@ func TestUserByID(t *testing.T) {
|
|||
logDone("run - user by id")
|
||||
}
|
||||
|
||||
func TestUserByIDBig(t *testing.T) {
|
||||
cmd := exec.Command(dockerBinary, "run", "-u", "2147483648", "busybox", "id")
|
||||
|
||||
out, _, err := runCommandWithOutput(cmd)
|
||||
if err == nil {
|
||||
t.Fatal("No error, but must be.", out)
|
||||
}
|
||||
if !strings.Contains(out, "Uids and gids must be in range") {
|
||||
t.Fatalf("expected error about uids range, got %s", out)
|
||||
}
|
||||
deleteAllContainers()
|
||||
|
||||
logDone("run - user by id, id too big")
|
||||
}
|
||||
|
||||
func TestUserByIDNegative(t *testing.T) {
|
||||
cmd := exec.Command(dockerBinary, "run", "-u", "-1", "busybox", "id")
|
||||
|
||||
out, _, err := runCommandWithOutput(cmd)
|
||||
if err == nil {
|
||||
t.Fatal("No error, but must be.", out)
|
||||
}
|
||||
if !strings.Contains(out, "Uids and gids must be in range") {
|
||||
t.Fatalf("expected error about uids range, got %s", out)
|
||||
}
|
||||
deleteAllContainers()
|
||||
|
||||
logDone("run - user by id, id negative")
|
||||
}
|
||||
|
||||
func TestUserByIDZero(t *testing.T) {
|
||||
cmd := exec.Command(dockerBinary, "run", "-u", "0", "busybox", "id")
|
||||
|
||||
out, _, err := runCommandWithOutput(cmd)
|
||||
if err != nil {
|
||||
t.Fatal(err, out)
|
||||
}
|
||||
if !strings.Contains(out, "uid=0(root) gid=0(root) groups=10(wheel)") {
|
||||
t.Fatalf("expected daemon user got %s", out)
|
||||
}
|
||||
deleteAllContainers()
|
||||
|
||||
logDone("run - user by id, zero uid")
|
||||
}
|
||||
|
||||
func TestUserNotFound(t *testing.T) {
|
||||
cmd := exec.Command(dockerBinary, "run", "-u", "notme", "busybox", "id")
|
||||
|
||||
|
|
|
@ -9,6 +9,15 @@ import (
|
|||
"strings"
|
||||
)
|
||||
|
||||
const (
|
||||
minId = 0
|
||||
maxId = 1<<31 - 1 //for 32-bit systems compatibility
|
||||
)
|
||||
|
||||
var (
|
||||
ErrRange = fmt.Errorf("Uids and gids must be in range %d-%d", minId, maxId)
|
||||
)
|
||||
|
||||
type User struct {
|
||||
Name string
|
||||
Pass string
|
||||
|
@ -194,6 +203,9 @@ func GetUserGroupSupplementary(userSpec string, defaultUid int, defaultGid int)
|
|||
// not numeric - we have to bail
|
||||
return 0, 0, nil, fmt.Errorf("Unable to find user %v", userArg)
|
||||
}
|
||||
if uid < minId || uid > maxId {
|
||||
return 0, 0, nil, ErrRange
|
||||
}
|
||||
|
||||
// if userArg couldn't be found in /etc/passwd but is numeric, just roll with it - this is legit
|
||||
}
|
||||
|
@ -226,6 +238,9 @@ func GetUserGroupSupplementary(userSpec string, defaultUid int, defaultGid int)
|
|||
// not numeric - we have to bail
|
||||
return 0, 0, nil, fmt.Errorf("Unable to find group %v", groupArg)
|
||||
}
|
||||
if gid < minId || gid > maxId {
|
||||
return 0, 0, nil, ErrRange
|
||||
}
|
||||
|
||||
// if groupArg couldn't be found in /etc/group but is numeric, just roll with it - this is legit
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue