Solutions

How do I limit the usage of podman on Rocky Linux 8 to specific users / groups?

by , , revisited on


We have by far the largest RPM repository with NGINX module packages and VMODs for Varnish. If you want to install NGINX, Varnish, and lots of useful performance/security software with smooth yum upgrades for production use, this is the repository for you.
Active subscription is required.

Operating System and Software

  • Rocky Linux 8
  • podman

Problem

  • We would like to limit the users/groups who are able to use podman.

How to Fix

To limit which users can use podman commands, change the ownership and permissions for the podman binary.
First, verify the permissions and ownership on the podman binary, by default it will be set like the following:
[root@ate ~]# ls -l /usr/bin/podman
-rwxr-xr-x. 1 root root 47759952 Apr 7 04:38 /usr/bin/podman

Next, create a group you wish to manage your podman users with:
[root@ate ~]# groupadd podmanadmin
[root@ate ~]# cat /etc/group|grep podmanadmin
podmanadmin:x:1008:

Add your podman users to that group:
[root@ate ~]# usermod -G 1008 testuser
[root@ate ~]# cat /etc/group|grep podmanadmin
podmanadmin:x:1008:testuser

Now change group ownership of the podman binary to your newly created group:
[root@ate ~]# chown root:podmanusers /usr/bin/podman
[root@ate ~]# chmod 0754 /usr/bin/podman

Test with a user that is not in that group vs a user that is a member of the group:
[root@ate ~]# ssh testuser@localhost
[testuser@ate ~]$ podman ps
-bash: /usr/bin/podman: Permission denied
[testuser@ate ~]$ exit
[root@ate ~]# ssh podmanadmin@localhost
podmanadmin@localhost's password:
[podmanadmin@ate ~]$ podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES

Origin of the Problem

To restrict podman commands to certain users, removing their entries in `/etc/subuid` and `/etc/subgid` will not be sufficient, instead, change the permissions on the podman binary.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: