Re: Proposal for new restriction: "nosession"
Hi!
On 2023-04-14 19:25, Antonio Terceiro wrote:
> Can you ellaborate on how did you hit this issue while using
> autopkgtest?
Testing packages that require access to a device, passed into the
container with --device. I just used --volume in my STR for brevity.
> What exactly is broken?
When starting a rootless container, it's possible to let the container
process retain the host groups of the invoking user and thus to keep
access to the device on the host, provided the user is in the right
group(s).
The 'su' by test driver undoes this. In this particular case, the 'su'
is root->root, and only there for PAM/logind session according to code
comments. We don't need that, and skipping it would solve the problem.
> In any case, this sounds to me like a technical limitation of podman
> and/or the autopkgtest podman backend, and not like something we want to
> include in the specification.
It's a limitation by design, as an additional security measure. It does
not occur with rootful Podman (or docker, or lxc).
The initially proposed "nosession" is probably to broad anyway, as this
issue is specific to root in rootless containers.
It would be a nice feature for us, or anyone else interacting with host
devices in rootless containers, but I would have to agree that this
would be a very specific use case and I certainly wouldn't press for a
spec change if the use case is considered too niche.
Best,
Christian
Reply to: