Skip to content

user: prevent falling back to looking up numeric usernames#221

Merged
kolyshkin merged 2 commits into
moby:mainfrom
thaJeztah:limit_uidgid
Jun 23, 2026
Merged

user: prevent falling back to looking up numeric usernames#221
kolyshkin merged 2 commits into
moby:mainfrom
thaJeztah:limit_uidgid

Conversation

@thaJeztah

@thaJeztah thaJeztah commented May 26, 2026

Copy link
Copy Markdown
Member

@thaJeztah thaJeztah marked this pull request as ready for review May 26, 2026 10:46

@vvoland vvoland left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This only tests the case where gid/uid still falls within int .

If it's larger, it will still resolve to root because it will be treated as an username and still resolved.

So:

9223372036854775808:x:0:0:root:/root:/bin/sh
  • USER 9223372036854775808

Means that the runtime will actually resolve it to root.

This is "correct" behavior, but its confusing to treat a numeric value as an username.

@thaJeztah

Copy link
Copy Markdown
Member Author

@vvoland - trying to see where that codepath would be; testing GetExecUser with 2147483648 (math.MaxInt32 + 1) produces an error; or is it a different codepath you're looking at?

@vvoland

vvoland commented May 26, 2026

Copy link
Copy Markdown
Contributor

On 64 bit strconv.Atoi will handle MaxInt32 + 1 without an error

@thaJeztah thaJeztah changed the title user: add test-cases for maxID (math.MaxInt32) user: prevent falling back to looking up numeric usernames Jun 2, 2026
@thaJeztah thaJeztah requested a review from vvoland June 2, 2026 13:24
@vvoland

vvoland commented Jun 2, 2026

Copy link
Copy Markdown
Contributor

Do we need the same for GetAdditionalGroups?

@thaJeztah

Copy link
Copy Markdown
Member Author

Yeah, makes sense; also updated

As a follow-up, I'm considering cleaning up this code; the logic seems to be much too complicated.

Comment thread user/user.go Outdated
Comment thread user/user.go Outdated
@thaJeztah thaJeztah force-pushed the limit_uidgid branch 3 times, most recently from 2d39888 to a310bf9 Compare June 3, 2026 08:34
@thaJeztah thaJeztah requested review from kolyshkin and vvoland June 3, 2026 08:35
@thaJeztah thaJeztah marked this pull request as draft June 23, 2026 15:39
@thaJeztah thaJeztah mentioned this pull request Jun 23, 2026
Improve handling of numeric user/group to prevent looking up numeric
values as usernames.

This fixes a similar issue as CVE-2026-46680 in containerd.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
@thaJeztah thaJeztah marked this pull request as ready for review June 23, 2026 15:50

@kolyshkin kolyshkin left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM overall; maybe just a slight improvement to the second commit?

Comment thread user/user.go Outdated
@thaJeztah thaJeztah force-pushed the limit_uidgid branch 2 times, most recently from 69522ff to 210a41e Compare June 23, 2026 17:00
Co-authored-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

@kolyshkin kolyshkin left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

still lgtm

@kolyshkin kolyshkin merged commit ee79b0e into moby:main Jun 23, 2026
20 checks passed
@thaJeztah thaJeztah deleted the limit_uidgid branch June 23, 2026 19:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants