moby: api.go doesn't respect nsswitch.conf
Due to the implementation of api.go which reads only /etc/group
, it is impossible to rely on other auth mechanisms (e.g. LDAP, NIS).
groups, err := ioutil.ReadFile("/etc/group")
if err != nil {
return err
}
re := regexp.MustCompile("(^|\n)docker:.*?:([0-9]+)")
if gidMatch := re.FindStringSubmatch(string(groups)); gidMatch != nil {
gid, err := strconv.Atoi(gidMatch[2])
if err != nil {
return err
}
utils.Debugf("docker group found. gid: %d", gid)
if err := os.Chown(addr, 0, gid); err != nil {
return err
}
}
Instead, the getgrnam
syscall should be used to determine, whether a docker
group exists or not.
The implemenation of lookup_unix.go
in the user
Go package might serve as inspiration on how to do this.
About this issue
- Original URL
- State: closed
- Created 11 years ago
- Reactions: 2
- Comments: 29 (23 by maintainers)
Any news on this ? Group lookup is still done in the staticaly defined /etc/group file without any support to NSS lookups. Any chance to have Docker support basic Linux features ?
Thanks.
Given the activity level on this issue, I’m going to close it as it’s either fixed, a duplicate or not a request anymore. If you think I’m mistaken, feel free to discuss it there 😉
Not sure why this would be closed, this bug is still there. See docker/for-linux#186 and analysis by @mjameswh.