Operating System and Software
- Rocky Linux 8
- podman
Problem
- We would like to limit the users/groups who are able to use podman.
How to Fix
To limit which users can use podman commands, change the ownership and permissions for the podman binary.
First, verify the permissions and ownership on the podman binary, by default it will be set like the following:
[root@ate ~]# ls -l /usr/bin/podman
-rwxr-xr-x. 1 root root 47759952 Apr 7 04:38 /usr/bin/podman
Next, create a group you wish to manage your podman users with:
[root@ate ~]# groupadd podmanadmin
[root@ate ~]# cat /etc/group|grep podmanadmin
podmanadmin:x:1008:
Add your podman users to that group:
[root@ate ~]# usermod -G 1008 testuser
[root@ate ~]# cat /etc/group|grep podmanadmin
podmanadmin:x:1008:testuser
Now change group ownership of the podman binary to your newly created group:
[root@ate ~]# chown root:podmanusers /usr/bin/podman
[root@ate ~]# chmod 0754 /usr/bin/podman
Test with a user that is not in that group vs a user that is a member of the group:
[root@ate ~]# ssh testuser@localhost
[testuser@ate ~]$ podman ps
-bash: /usr/bin/podman: Permission denied
[testuser@ate ~]$ exit
[root@ate ~]# ssh podmanadmin@localhost
podmanadmin@localhost's password:
[podmanadmin@ate ~]$ podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
Origin of the Problem
To restrict podman commands to certain users, removing their entries in `/etc/subuid` and `/etc/subgid` will not be sufficient, instead, change the permissions on the podman binary.