moby: api.go doesn't respect nsswitch.conf

Due to the implementation of api.go which reads only /etc/group, it is impossible to rely on other auth mechanisms (e.g. LDAP, NIS).

groups, err := ioutil.ReadFile("/etc/group")
if err != nil {
        return err
}
re := regexp.MustCompile("(^|\n)docker:.*?:([0-9]+)")
if gidMatch := re.FindStringSubmatch(string(groups)); gidMatch != nil {
        gid, err := strconv.Atoi(gidMatch[2])
        if err != nil {
                return err
        }
        utils.Debugf("docker group found. gid: %d", gid)
        if err := os.Chown(addr, 0, gid); err != nil {
                return err
        }
}

Instead, the getgrnam syscall should be used to determine, whether a docker group exists or not.

The implemenation of lookup_unix.go in the user Go package might serve as inspiration on how to do this.

About this issue

  • Original URL
  • State: closed
  • Created 11 years ago
  • Reactions: 2
  • Comments: 29 (23 by maintainers)

Most upvoted comments

Any news on this ? Group lookup is still done in the staticaly defined /etc/group file without any support to NSS lookups. Any chance to have Docker support basic Linux features ?

Thanks.

+5
prune998 on Sep 30, 2015

Given the activity level on this issue, I’m going to close it as it’s either fixed, a duplicate or not a request anymore. If you think I’m mistaken, feel free to discuss it there 😉

+3
vdemeester on Feb 14, 2018

Not sure why this would be closed, this bug is still there. See docker/for-linux#186 and analysis by @mjameswh.

+2
nicoulaj on Nov 1, 2018
Read more comments on GitHub
← moby: ANSI Code Page in Hyper-V Windows containers should not be 65001
moby: Application running in Docker container fails to reconnect after USB devices unplugged/replugged →