Site icon GetPageSpeed

How do I limit the usage of podman on Rocky Linux 8 to specific users / groups?

Rocky Linux

Rocky Linux

Operating System and Software

  • Rocky Linux 8
  • podman

Problem

  • We would like to limit the users/groups who are able to use podman.

How to Fix

To limit which users can use podman commands, change the ownership and permissions for the podman binary.
First, verify the permissions and ownership on the podman binary, by default it will be set like the following:
[root@ate ~]# ls -l /usr/bin/podman
-rwxr-xr-x. 1 root root 47759952 Apr 7 04:38 /usr/bin/podman

Next, create a group you wish to manage your podman users with:
[root@ate ~]# groupadd podmanadmin
[root@ate ~]# cat /etc/group|grep podmanadmin
podmanadmin:x:1008:

Add your podman users to that group:
[root@ate ~]# usermod -G 1008 testuser
[root@ate ~]# cat /etc/group|grep podmanadmin
podmanadmin:x:1008:testuser

Now change group ownership of the podman binary to your newly created group:
[root@ate ~]# chown root:podmanusers /usr/bin/podman
[root@ate ~]# chmod 0754 /usr/bin/podman

Test with a user that is not in that group vs a user that is a member of the group:
[root@ate ~]# ssh testuser@localhost
[testuser@ate ~]$ podman ps
-bash: /usr/bin/podman: Permission denied
[testuser@ate ~]$ exit
[root@ate ~]# ssh podmanadmin@localhost
podmanadmin@localhost's password:
[podmanadmin@ate ~]$ podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES

Origin of the Problem

To restrict podman commands to certain users, removing their entries in `/etc/subuid` and `/etc/subgid` will not be sufficient, instead, change the permissions on the podman binary.

Exit mobile version