From 9c5e687b6ffed514b0b2c7504d90507be4037e98 Mon Sep 17 00:00:00 2001 From: Rodrigo Campos Date: Thu, 6 Mar 2025 15:02:50 +0100 Subject: [PATCH] libct: Use chown(uid, -1) to not change the gid There is no behavior change, it is just more readable to use -1 to mean don't touch this. Please note that if the GID is not mapped in the userns, by using -1 for that no error is returned. We just avoid dealing with it completely, as we want here. Signed-off-by: Rodrigo Campos --- libcontainer/init_linux.go | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/libcontainer/init_linux.go b/libcontainer/init_linux.go index 8c30aae95..ef7b0cf13 100644 --- a/libcontainer/init_linux.go +++ b/libcontainer/init_linux.go @@ -524,16 +524,17 @@ func fixStdioPermissions(uid int) error { // that users expect to be able to actually use their console. Without // this code, you couldn't effectively run as a non-root user inside a // container and also have a console set up. - if err := file.Chown(uid, int(s.Gid)); err != nil { - // If we've hit an EINVAL then s.Gid isn't mapped in the user - // namespace. If we've hit an EPERM then the inode's current owner + if err := file.Chown(uid, -1); err != nil { + // If we've hit an EPERM then the inode's current owner // is not mapped in our user namespace (in particular, // privileged_wrt_inode_uidgid() has failed). Read-only // /dev can result in EROFS error. In any case, it's // better for us to just not touch the stdio rather // than bail at this point. - - if errors.Is(err, unix.EINVAL) || errors.Is(err, unix.EPERM) || errors.Is(err, unix.EROFS) { + // EINVAL should never happen, as it would mean the uid + // is not mapped, we expect this function to be called + // with a mapped uid. + if errors.Is(err, unix.EPERM) || errors.Is(err, unix.EROFS) { continue } return err