devices/fs: fix set_creds not switching credentials when CAP_SET{U,G}ID is available#668
Draft
nikromen wants to merge 1 commit intocontainers:mainfrom
Draft
devices/fs: fix set_creds not switching credentials when CAP_SET{U,G}ID is available#668nikromen wants to merge 1 commit intocontainers:mainfrom
nikromen wants to merge 1 commit intocontainers:mainfrom
Conversation
…ID is available When the VMM process runs as non-root but retains CAP_SETUID/CAP_SETGID (e.g. in a user namespace with --userns=keep-id), set_creds() skipped the credential switch for uid/gid 0 because the `uid == 0` check came before the capability check. This caused all guest root file operations to execute with the VMM's actual uid/gid, leading to EPERM on writes to root-owned directories. Reorder the conditions so that when we have the capability to switch credentials, we always do so... including for uid/gid 0.
nikromen
requested review from
MatiasVara,
dorindabassey,
jakecorrenti,
mtjhrc,
slp and
tylerfanelli
as code owners
jakecorrenti
reviewed
May 7, 2026
Member
jakecorrenti
left a comment
jakecorrenti
left a comment
There was a problem hiding this comment.
Please make sure that you sign your commits. You can fix it by doing git commit --amend -s
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When the VMM process runs as non-root but retains CAP_SETUID/CAP_SETGID (e.g. in a user namespace with --userns=keep-id), set_creds() skipped the credential switch for uid/gid 0 because the
uid == 0check came before the capability check. This caused all guest root file operations to execute with the VMM's actual uid/gid, leading to EPERM on writes to root-owned directories.Reorder the conditions so that when we have the capability to switch credentials, we always do so... including for uid/gid 0.
Reproducer (on fedora-43 x86):
podman run --rm --privileged --runtime krun --userns=keep-id fedora:latest dnf install -y htop
Fails with "Cannot open log file: (13) - Permission denied [/var/log/dnf5.log]". Any guest root file operation returns EPERM.