github.com/hanks177/podman/v4@v4.1.3-0.20220613032544-16d90015bc83/test/e2e/run_passwd_test.go (about) 1 package integration 2 3 import ( 4 "fmt" 5 "os" 6 7 . "github.com/hanks177/podman/v4/test/utils" 8 . "github.com/onsi/ginkgo" 9 . "github.com/onsi/gomega" 10 . "github.com/onsi/gomega/gexec" 11 ) 12 13 var _ = Describe("Podman run passwd", func() { 14 var ( 15 tempdir string 16 err error 17 podmanTest *PodmanTestIntegration 18 ) 19 20 BeforeEach(func() { 21 tempdir, err = CreateTempDirInTempDir() 22 if err != nil { 23 os.Exit(1) 24 } 25 podmanTest = PodmanTestCreate(tempdir) 26 podmanTest.Setup() 27 }) 28 29 AfterEach(func() { 30 podmanTest.Cleanup() 31 f := CurrentGinkgoTestDescription() 32 processTestResult(f) 33 34 }) 35 36 It("podman run no user specified ", func() { 37 session := podmanTest.Podman([]string{"run", "--read-only", BB, "mount"}) 38 session.WaitWithDefaultTimeout() 39 Expect(session).Should(Exit(0)) 40 Expect(session.OutputToString()).To(Not(ContainSubstring("passwd"))) 41 }) 42 It("podman run user specified in container", func() { 43 session := podmanTest.Podman([]string{"run", "--read-only", "-u", "bin", BB, "mount"}) 44 session.WaitWithDefaultTimeout() 45 Expect(session).Should(Exit(0)) 46 Expect(session.OutputToString()).To(Not(ContainSubstring("passwd"))) 47 }) 48 49 It("podman run UID specified in container", func() { 50 session := podmanTest.Podman([]string{"run", "--read-only", "-u", "2:1", BB, "mount"}) 51 session.WaitWithDefaultTimeout() 52 Expect(session).Should(Exit(0)) 53 Expect(session.OutputToString()).To(Not(ContainSubstring("passwd"))) 54 }) 55 56 It("podman run UID not specified in container", func() { 57 session := podmanTest.Podman([]string{"run", "--read-only", "-u", "20001:1", BB, "mount"}) 58 session.WaitWithDefaultTimeout() 59 Expect(session).Should(Exit(0)) 60 Expect(session.OutputToString()).To(ContainSubstring("passwd")) 61 }) 62 63 It("podman can run container without /etc/passwd", func() { 64 dockerfile := fmt.Sprintf(`FROM %s 65 RUN rm -f /etc/passwd /etc/shadow /etc/group 66 USER 1000`, ALPINE) 67 imgName := "testimg" 68 podmanTest.BuildImage(dockerfile, imgName, "false") 69 session := podmanTest.Podman([]string{"run", "--rm", imgName, "ls", "/etc/"}) 70 session.WaitWithDefaultTimeout() 71 Expect(session).Should(Exit(0)) 72 Expect(session.OutputToString()).To(Not(ContainSubstring("passwd"))) 73 }) 74 75 It("podman run with no user specified does not change --group specified", func() { 76 session := podmanTest.Podman([]string{"run", "--read-only", BB, "mount"}) 77 session.WaitWithDefaultTimeout() 78 Expect(session).Should(Exit(0)) 79 Expect(session.OutputToString()).To(Not(ContainSubstring("/etc/group"))) 80 }) 81 82 It("podman run group specified in container", func() { 83 session := podmanTest.Podman([]string{"run", "--read-only", "-u", "root:bin", BB, "mount"}) 84 session.WaitWithDefaultTimeout() 85 Expect(session).Should(Exit(0)) 86 Expect(session.OutputToString()).To(Not(ContainSubstring("/etc/group"))) 87 }) 88 89 It("podman run non-numeric group not specified in container", func() { 90 session := podmanTest.Podman([]string{"run", "--read-only", "-u", "root:doesnotexist", BB, "mount"}) 91 session.WaitWithDefaultTimeout() 92 Expect(session).To(ExitWithError()) 93 }) 94 95 It("podman run numeric group specified in container", func() { 96 session := podmanTest.Podman([]string{"run", "--read-only", "-u", "root:11", BB, "mount"}) 97 session.WaitWithDefaultTimeout() 98 Expect(session).Should(Exit(0)) 99 Expect(session.OutputToString()).To(Not(ContainSubstring("/etc/group"))) 100 }) 101 102 It("podman run numeric group not specified in container", func() { 103 session := podmanTest.Podman([]string{"run", "--read-only", "-u", "20001:20001", BB, "mount"}) 104 session.WaitWithDefaultTimeout() 105 Expect(session).Should(Exit(0)) 106 Expect(session.OutputToString()).To(ContainSubstring("/etc/group")) 107 }) 108 109 It("podman run numeric user not specified in container modifies group", func() { 110 session := podmanTest.Podman([]string{"run", "--read-only", "-u", "20001", BB, "mount"}) 111 session.WaitWithDefaultTimeout() 112 Expect(session).Should(Exit(0)) 113 Expect(session.OutputToString()).To(ContainSubstring("/etc/group")) 114 }) 115 116 It("podman run numeric group from image and no group file", func() { 117 dockerfile := fmt.Sprintf(`FROM %s 118 RUN rm -f /etc/passwd /etc/shadow /etc/group 119 USER 1000`, ALPINE) 120 imgName := "testimg" 121 podmanTest.BuildImage(dockerfile, imgName, "false") 122 session := podmanTest.Podman([]string{"run", "--rm", imgName, "ls", "/etc/"}) 123 session.WaitWithDefaultTimeout() 124 Expect(session).Should(Exit(0)) 125 Expect(session.OutputToString()).To(Not(ContainSubstring("/etc/group"))) 126 }) 127 128 It("podman run --no-manage-passwd flag", func() { 129 run := podmanTest.Podman([]string{"run", "--user", "1234:1234", ALPINE, "cat", "/etc/passwd"}) 130 run.WaitWithDefaultTimeout() 131 Expect(run).Should(Exit(0)) 132 Expect(run.OutputToString()).To(ContainSubstring("1234:1234")) 133 134 run = podmanTest.Podman([]string{"run", "--passwd=false", "--user", "1234:1234", ALPINE, "cat", "/etc/passwd"}) 135 run.WaitWithDefaultTimeout() 136 Expect(run).Should(Exit(0)) 137 Expect(run.OutputToString()).NotTo((ContainSubstring("1234:1234"))) 138 }) 139 140 It("podman run --passwd-entry flag", func() { 141 // Test that the line we add doesn't contain anything else than what is specified 142 run := podmanTest.Podman([]string{"run", "--user", "1234:1234", "--passwd-entry=FOO", ALPINE, "grep", "^FOO$", "/etc/passwd"}) 143 run.WaitWithDefaultTimeout() 144 Expect(run).Should(Exit(0)) 145 146 run = podmanTest.Podman([]string{"run", "--user", "12345:12346", "-w", "/etc", "--passwd-entry=$UID-$GID-$NAME-$HOME-$USERNAME", ALPINE, "cat", "/etc/passwd"}) 147 run.WaitWithDefaultTimeout() 148 Expect(run).Should(Exit(0)) 149 Expect(run.OutputToString()).To(ContainSubstring("12345-12346-container user-/etc-12345")) 150 }) 151 })