github.com/containers/podman/v5@v5.1.0-rc1/test/e2e/run_passwd_test.go

github.com/containers/podman/v5@v5.1.0-rc1/test/e2e/run_passwd_test.go (about)

     1  package integration
     2  
     3  import (
     4  	"fmt"
     5  
     6  	. "github.com/containers/podman/v5/test/utils"
     7  	. "github.com/onsi/ginkgo/v2"
     8  	. "github.com/onsi/gomega"
     9  )
    10  
    11  var _ = Describe("Podman run passwd", func() {
    12  
    13  	It("podman run no user specified ", func() {
    14  		session := podmanTest.Podman([]string{"run", "--read-only", BB, "mount"})
    15  		session.WaitWithDefaultTimeout()
    16  		Expect(session).Should(ExitCleanly())
    17  		Expect(session.OutputToString()).To(Not(ContainSubstring("passwd")))
    18  	})
    19  	It("podman run user specified in container", func() {
    20  		session := podmanTest.Podman([]string{"run", "--read-only", "-u", "bin", BB, "mount"})
    21  		session.WaitWithDefaultTimeout()
    22  		Expect(session).Should(ExitCleanly())
    23  		Expect(session.OutputToString()).To(Not(ContainSubstring("passwd")))
    24  	})
    25  
    26  	It("podman run UID specified in container", func() {
    27  		session := podmanTest.Podman([]string{"run", "--read-only", "-u", "2:1", BB, "mount"})
    28  		session.WaitWithDefaultTimeout()
    29  		Expect(session).Should(ExitCleanly())
    30  		Expect(session.OutputToString()).To(Not(ContainSubstring("passwd")))
    31  	})
    32  
    33  	It("podman run UID not specified in container", func() {
    34  		session := podmanTest.Podman([]string{"run", "--read-only", "-u", "20001:1", BB, "mount"})
    35  		session.WaitWithDefaultTimeout()
    36  		Expect(session).Should(ExitCleanly())
    37  		Expect(session.OutputToString()).To(ContainSubstring("passwd"))
    38  	})
    39  
    40  	It("podman can run container without /etc/passwd", func() {
    41  		dockerfile := fmt.Sprintf(`FROM %s
    42  RUN rm -f /etc/passwd /etc/shadow /etc/group
    43  USER 1000`, ALPINE)
    44  		imgName := "testimg"
    45  		podmanTest.BuildImage(dockerfile, imgName, "false")
    46  		session := podmanTest.Podman([]string{"run", "--passwd=false", "--rm", imgName, "ls", "/etc/"})
    47  		session.WaitWithDefaultTimeout()
    48  		Expect(session).Should(ExitCleanly())
    49  		Expect(session.OutputToString()).To(Not(ContainSubstring("passwd")))
    50  
    51  		// test that the /etc/passwd file is created
    52  		session = podmanTest.Podman([]string{"run", "--rm", "--user", "0:0", imgName, "ls", "/etc/passwd"})
    53  		session.WaitWithDefaultTimeout()
    54  		Expect(session).Should(ExitCleanly())
    55  	})
    56  
    57  	It("podman run with no user specified does not change --group specified", func() {
    58  		session := podmanTest.Podman([]string{"run", "--read-only", BB, "mount"})
    59  		session.WaitWithDefaultTimeout()
    60  		Expect(session).Should(ExitCleanly())
    61  		Expect(session.OutputToString()).To(Not(ContainSubstring("/etc/group")))
    62  	})
    63  
    64  	It("podman run group specified in container", func() {
    65  		session := podmanTest.Podman([]string{"run", "--read-only", "-u", "root:bin", BB, "mount"})
    66  		session.WaitWithDefaultTimeout()
    67  		Expect(session).Should(ExitCleanly())
    68  		Expect(session.OutputToString()).To(Not(ContainSubstring("/etc/group")))
    69  	})
    70  
    71  	It("podman run non-numeric group not specified in container", func() {
    72  		session := podmanTest.Podman([]string{"run", "--read-only", "-u", "root:doesnotexist", BB, "mount"})
    73  		session.WaitWithDefaultTimeout()
    74  		Expect(session).To(ExitWithError(126, "unable to find group doesnotexist: no matching entries in group file"))
    75  	})
    76  
    77  	It("podman run numeric group specified in container", func() {
    78  		session := podmanTest.Podman([]string{"run", "--read-only", "-u", "root:11", BB, "mount"})
    79  		session.WaitWithDefaultTimeout()
    80  		Expect(session).Should(ExitCleanly())
    81  		Expect(session.OutputToString()).To(Not(ContainSubstring("/etc/group")))
    82  	})
    83  
    84  	It("podman run numeric group not specified in container", func() {
    85  		session := podmanTest.Podman([]string{"run", "--read-only", "-u", "20001:20001", BB, "mount"})
    86  		session.WaitWithDefaultTimeout()
    87  		Expect(session).Should(ExitCleanly())
    88  		Expect(session.OutputToString()).To(ContainSubstring("/etc/group"))
    89  	})
    90  
    91  	It("podman run numeric user not specified in container modifies group", func() {
    92  		session := podmanTest.Podman([]string{"run", "--read-only", "-u", "20001", BB, "mount"})
    93  		session.WaitWithDefaultTimeout()
    94  		Expect(session).Should(ExitCleanly())
    95  		Expect(session.OutputToString()).To(ContainSubstring("/etc/group"))
    96  	})
    97  
    98  	It("podman run numeric group from image and no group file", func() {
    99  		dockerfile := fmt.Sprintf(`FROM %s
   100  RUN rm -f /etc/passwd /etc/shadow /etc/group
   101  USER 1000`, ALPINE)
   102  		imgName := "testimg"
   103  		podmanTest.BuildImage(dockerfile, imgName, "false")
   104  		session := podmanTest.Podman([]string{"run", "--rm", imgName, "ls", "/etc/"})
   105  		session.WaitWithDefaultTimeout()
   106  		Expect(session).Should(ExitCleanly())
   107  		Expect(session.OutputToString()).To(Not(ContainSubstring("/etc/group")))
   108  	})
   109  
   110  	It("podman run --no-manage-passwd flag", func() {
   111  		run := podmanTest.Podman([]string{"run", "--user", "1234:1234", ALPINE, "cat", "/etc/passwd"})
   112  		run.WaitWithDefaultTimeout()
   113  		Expect(run).Should(ExitCleanly())
   114  		Expect(run.OutputToString()).To(ContainSubstring("1234:1234"))
   115  
   116  		run = podmanTest.Podman([]string{"run", "--passwd=false", "--user", "1234:1234", ALPINE, "cat", "/etc/passwd"})
   117  		run.WaitWithDefaultTimeout()
   118  		Expect(run).Should(ExitCleanly())
   119  		Expect(run.OutputToString()).NotTo(ContainSubstring("1234:1234"))
   120  	})
   121  
   122  	It("podman run --passwd-entry flag", func() {
   123  		// Test that the line we add doesn't contain anything else than what is specified
   124  		run := podmanTest.Podman([]string{"run", "--user", "1234:1234", "--passwd-entry=FOO", ALPINE, "grep", "^FOO$", "/etc/passwd"})
   125  		run.WaitWithDefaultTimeout()
   126  		Expect(run).Should(ExitCleanly())
   127  
   128  		run = podmanTest.Podman([]string{"run", "--user", "12345:12346", "-w", "/etc", "--passwd-entry=$UID-$GID-$NAME-$HOME-$USERNAME", ALPINE, "cat", "/etc/passwd"})
   129  		run.WaitWithDefaultTimeout()
   130  		Expect(run).Should(ExitCleanly())
   131  		Expect(run.OutputToString()).To(ContainSubstring("12345-12346-container user-/etc-12345"))
   132  	})
   133  
   134  	It("podman run --group-entry flag", func() {
   135  		// Test that the line we add doesn't contain anything else than what is specified
   136  		run := podmanTest.Podman([]string{"run", "--user", "1234:1234", "--group-entry=FOO", ALPINE, "grep", "^FOO$", "/etc/group"})
   137  		run.WaitWithDefaultTimeout()
   138  		Expect(run).Should(ExitCleanly())
   139  
   140  		run = podmanTest.Podman([]string{"run", "--user", "12345:12346", "--group-entry=$GID", ALPINE, "tail", "/etc/group"})
   141  		run.WaitWithDefaultTimeout()
   142  		Expect(run).Should(ExitCleanly())
   143  		Expect(run.OutputToString()).To(ContainSubstring("12346"))
   144  	})
   145  })