Skip to content

Commit

Permalink
Workaround failing sudo
Browse files Browse the repository at this point in the history 
'sudo' calls 'unix_chkpwd' and this fails with
```
openat(AT_FDCWD</>, "/etc/shadow", O_RDONLY|O_CLOEXEC) = -1 EACCES
```
for unclear reason (CAP_DAC_* are granted)

Let root read /etc/shadow without capabilities as a work around.
  • Loading branch information
@alexey-tikhonov @justin-stephenson
alexey-tikhonov authored and justin-stephenson committed Dec 17, 2024
1 parent 572bbf9 commit 316e357
Showing 1 changed file with 12 additions and 0 deletions.
12 changes: 12 additions & 0 deletions actions/setup/action.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,18 @@ runs:
REGISTRY="${{ inputs.registry }}" \
TAG="${{ inputs.tag }}"
- name: Workaround failing sudo
shell: bash
run: |
# 'sudo' calls 'unix_chkpwd' and this fails with
# openat(AT_FDCWD</>, "/etc/shadow", O_RDONLY|O_CLOEXEC) = -1 EACCES
# for unclear reason (CAP_DAC_* are granted)
for svc in `sudo podman container ls --format "{{ .Names }}"`; do
if [ $svc != "dns" ]; then
sudo podman exec "$svc" chmod u+x /etc/shadow &
fi
done
- name: Change regular user uid to 1001
shell: bash
run: |
Expand Down

0 comments on commit 316e357

Please sign in to comment.