opencontainers/runc
1
0
Fork 0
mirror of https://github.com/opencontainers/runc.git synced 2025-08-01 05:06:52 +03:00
Code Activity
Files
main
runc/script/setup_rootless.sh
Kir Kolyshkin 87ae2f8466 Unify and fix rootless key setup 
For some reason, ssh-keygen is unable to write to /root even as root on
AlmaLinux 8:

	# id
	uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0
	# id -Z
	ls -ld /root
	# ssh-keygen -t ecdsa -N "" -f /root/rootless.key || cat /var/log/audit/audit.log
	Saving key "/root/rootless.key" failed: Permission denied

The audit.log shows:

> type=AVC msg=audit(1744834995.352:546): avc:  denied  { dac_override } for  pid=13471 comm="ssh-keygen" capability=1  scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:system_r:ssh_keygen_t:s0 tclass=capability permissive=0
> type=SYSCALL msg=audit(1744834995.352:546): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=5641c7587520 a2=241 a3=180 items=0 ppid=4978 pid=13471 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=system_u:system_r:ssh_keygen_t:s0 key=(null)␝ARCH=x86_64 SYSCALL=openat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"

A workaround is to use /root/.ssh directory instead of just /root.

While at it, let's unify rootless user and key setup into a single place.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-04-17 16:16:31 -07:00

16 lines
626 B
Bash
Executable File
Raw Permalink Blame History

#!/bin/bash
set -eux -o pipefail
# Add a user for rootless tests.
sudo useradd -u2000 -m -d/home/rootless -s/bin/bash rootless
# Allow both the current user and rootless itself to use
# ssh rootless@localhost in tests/rootless.sh.
# shellcheck disable=SC2174 # Silence "-m only applies to the deepest directory".
mkdir -p -m 0700 "$HOME/.ssh"
ssh-keygen -t ecdsa -N "" -f "$HOME/.ssh/rootless.key"
sudo mkdir -p -m 0700 /home/rootless/.ssh
sudo cp "$HOME/.ssh/rootless.key" /home/rootless/.ssh/id_ecdsa
sudo cp "$HOME/.ssh/rootless.key.pub" /home/rootless/.ssh/authorized_keys
sudo chown -R rootless.rootless /home/rootless
View Git Blame Copy Permalink