-
Bug
-
Resolution: Can't Do
-
Normal
-
None
-
4.12.z
-
Quality / Stability / Reliability
-
False
-
-
None
-
Moderate
-
No
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
When using an SCC like: runAsUser: type: MustRunAsRange RHOCP leverages on Project's annotations for having containers running with random UID: openshift.io/sa.scc.uid-range=1000970000/10000 When any container is run this way within that project, RHOCP will inject UID information in /etc/passwd file: sh-4.4$ tail -1 /etc/passwd 1001130000:x:1001130000:0:1001130000 user:/:/sbin/nologin This doesn't happen for its /etc/shadow counterpart though.
Version-Release number of selected component (if applicable):
Tested on 4.12.17
How reproducible:
$ oc new-app --image=registry.access.redhat.com/ubi8/ubi:8.6 --name=user-test < Edit command and args to> command: sleep args: "3600" Access Pod: $ oc rsh user-test-<POD-UID> cat /etc/passwd See random UID data at last row of /etc/passwd file Normally, /etc/shadow has 000 permission. There are a number of ways for checking this though: since /etc/shadow is actually 000 you can create PVCs and copy the content from the original image, alter read/write bits, and check it later on, so that the container can still alter it. You won't find any modification though.
Steps to Reproduce:
1. Create pod 2. Enter pod with standard user 3. Check /etc/shadow is not aligned with /etc/passwd
Actual results:
/etc/passwd contains info of container's running user, but /etc/shadow does not
Expected results:
Both /etc/passwd and /etc/shadow should contain lines for the container's running user
Additional info:
I suspect this has something to do with [0], but really can't tell if it's expected or a bug. Can someone please clarify? [0] https://access.redhat.com/articles/4859371