[Podman] Re: rootless podman group credentials limited to users primary group?
eae(a)us.ibm.com writes:
Scenario: rootless user with primary and secondary group membership
starts a container with mounted filesystem.
Expected behavior: the group credentials of podman container would respect the results of
newgrp before starting container.
Actual behavior: the group credentials for access are always the primary group.
with rootless we cannot set arbitrary additional groups, as we do with
root containers. What we could do is to skip the setgroups(2) in the
OCI runtime so that the original additional groups can be maintained.
I've opened a PR for crun to enable that: https://github.com/containers/crun/pull/148
Giuseppe