enhanced container user and group handling

slimtoolkit · Feb 29, 2020 · 68b8939 · 68b8939
1 parent aa291a7
commit 68b8939
Show file tree

Hide file tree

Showing 2 changed files with 77 additions and 21 deletions.
diff --git a/internal/app/sensor/target/target_app.go b/internal/app/sensor/target/target_app.go
@@ -6,11 +6,12 @@ import (
 	"golang.org/x/sys/unix"
 	"os"
 	"os/exec"
-	"os/user"
-	"strconv"
+	"strings"
 	"syscall"
 
 	log "github.com/sirupsen/logrus"
+
+	"github.com/docker-slim/docker-slim/pkg/system"
 )
 
 //copied from libcontainer
@@ -93,33 +94,34 @@ func Start(appName string, appArgs []string, appDir, appUser string, runTargetAs
 			app.SysProcAttr = &syscall.SysProcAttr{}
 		}
 
-		userInfo, err := user.Lookup(appUser)
-		if err == nil {
-			var gid int64
-			uid, err := strconv.ParseInt(userInfo.Uid, 0, 32)
+		appUserParts := strings.Split(appUser, ":")
+		if len(appUserParts) > 0 {
+			uid, gid, err := system.ResolveUser(appUserParts[0])
 			if err == nil {
-				gid, err = strconv.ParseInt(userInfo.Gid, 0, 32)
-				if err == nil {
-					app.SysProcAttr.Credential = &syscall.Credential{
-						Uid: uint32(uid),
-						Gid: uint32(gid),
+				if len(appUserParts) > 1 {
+					xgid, err := system.ResolveGroup(appUserParts[1])
+					if err == nil {
+						gid = xgid
+					} else {
+						log.Errorf("sensor.startTargetApp: error resolving group identity (%v/%v) - %v", appUser, appUserParts[1], err)
 					}
+				}
 
-					log.Debugf("sensor.startTargetApp: start target as user (%s) - (uid=%d,gid=%d)", appUser, uid, gid)
+				app.SysProcAttr.Credential = &syscall.Credential{
+					Uid: uid,
+					Gid: gid,
+				}
 
-					if err = fixStdioPermissions(int(uid)); err != nil {
-						log.Errorf("sensor.startTargetApp: error fixing i/o perms for user (%v/%v) - %v", appUser, uid, err)
-					}
-				} else {
-					log.Errorf("sensor.startTargetApp: error converting user gid (%v) - %v", appUser, err)
+				log.Debugf("sensor.startTargetApp: start target as user (%s) - (uid=%d,gid=%d)", appUser, uid, gid)
+
+				if err = fixStdioPermissions(int(uid)); err != nil {
+					log.Errorf("sensor.startTargetApp: error fixing i/o perms for user (%v/%v) - %v", appUser, uid, err)
 				}
+
 			} else {
-				log.Errorf("sensor.startTargetApp: error converting user uid (%v) - %v", appUser, err)
+				log.Errorf("sensor.startTargetApp: error resolving user identity (%v/%v) - %v", appUser, appUserParts[0], err)
 			}
-		} else {
-			log.Errorf("sensor.startTargetApp: error getting user info (%v) - %v", appUser, err)
 		}
-
 	}
 
 	app.Dir = appDir

diff --git a/pkg/system/system.go b/pkg/system/system.go
@@ -1,5 +1,10 @@
 package system
 
+import (
+	"os/user"
+	"strconv"
+)
+
 type SystemInfo struct {
 	Sysname    string
 	Nodename   string
@@ -10,3 +15,52 @@ type SystemInfo struct {
 	OsName     string
 	OsBuild    string
 }
+
+func ResolveUser(identity string) (uint32, uint32, error) {
+	var userInfo *user.User
+	if _, err := strconv.ParseUint(identity, 10, 32); err == nil {
+		userInfo, err = user.LookupId(identity)
+		if err != nil {
+			return 0, 0, err
+		}
+	} else {
+		userInfo, err = user.Lookup(identity)
+		if err != nil {
+			return 0, 0, err
+		}
+	}
+
+	uid, err := strconv.ParseUint(userInfo.Uid, 10, 32)
+	if err != nil {
+		return 0, 0, err
+	}
+
+	gid, err := strconv.ParseUint(userInfo.Gid, 10, 32)
+	if err != nil {
+		return 0, 0, err
+	}
+
+	return uint32(uid), uint32(gid), nil
+}
+
+func ResolveGroup(identity string) (uint32, error) {
+	var groupInfo *user.Group
+	if _, err := strconv.ParseUint(identity, 10, 32); err == nil {
+		groupInfo, err = user.LookupGroupId(identity)
+		if err != nil {
+			return 0, err
+		}
+	} else {
+		groupInfo, err = user.LookupGroup(identity)
+		if err != nil {
+			return 0, err
+		}
+	}
+
+	gid, err := strconv.ParseUint(groupInfo.Gid, 10, 32)
+	if err != nil {
+		return 0, err
+	}
+
+	return uint32(gid), nil
+}