Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

User should can run su-exec as self #10

Open
hason opened this issue Nov 8, 2016 · 7 comments
Open

User should can run su-exec as self #10

hason opened this issue Nov 8, 2016 · 7 comments

Comments

@hason
Copy link

hason commented Nov 8, 2016

Confused behaviour:

$ id -u -n
user
$ su-exec user ls
su-exec: setgroups: Operation not permitted
@hlovdal hlovdal mentioned this issue Oct 15, 2017
Merged
@hlovdal hlovdal mentioned this issue Oct 25, 2017
Open
@dbjpanda
Copy link

dbjpanda commented Nov 4, 2018

Can this behaviour achieved by su-exec ?

$ whoami
deploy
$ ls -al /sbin/su-exec 
-rwxr-xr-x    1 deploy   deploy        9936 May  1  2018 /sbin/su-exec
$ composer.phar -V
Composer version 1.7.3 2018-11-01 10:05:06
$ su-exec deploy composer.phar -V
su-exec: setgroups: Operation not permitted

@dbjpanda
Copy link

dbjpanda commented Nov 4, 2018

@hason Did you find any workaround for this type of case ?

@tianon
Copy link
Contributor

tianon commented Nov 4, 2018 via email

@bchallenor
Copy link

bchallenor commented Nov 4, 2018
edited
Loading

Not the OP but my use case is this: I would like to use a docker image (provided by a third party) that uses su-exec to switch to a user dynamically specified in an environment variable. This works nicely - unless you happen to want to not change user at all.

It seems to me that by detecting this case and permitting it (by doing nothing), su-exec would be eliminating an edge case and allowing itself to be used in more situations.

@dbjpanda
Copy link

dbjpanda commented Nov 5, 2018
edited
Loading

What is it you're hoping "su-exec" will do in this condition? You seem to
want to switch from the user you are to ... the user you are (which is kind
of a strange ask).

@tianon Exactly this is the case. I am trying to su-exec from the user deploy to user deploy

Here is my case.
I run su-exec deploy composer.phar install . composer.phar calls a shell script i.e post-install.sh after it complete installing all the php dependencies . Within the post_install.sh there is one line composer.phar install something_else. So here I get the error that is su-exec: setgroups: Operation not permitted

@ncopa
Copy link
Owner

ncopa commented Nov 5, 2018

so basically, check if you are trying to switch to current user, and do nothing in that case?

Something like:

#!/bin/sh

# su-exec-wrapper.sh

user=$1
shift

if [ "$user" != "$(whoami)" ]; then
    su-exec "$@"
else
    "$@"
fi

@tianon
Copy link
Contributor

tianon commented Nov 5, 2018

Indeed, a pattern similar to that is very common in the official images, although we typically check for id -u being 0 (since being root is the only case where we can step-down) -- to use a different user from the one the image was designed for, we usually recommend Docker's built-in --user functionality (which is more secure anyhow).

See also docker-library/rabbitmq#60, docker-library/cassandra#48, docker-library/mongo#81, redis/docker-library-redis#48, docker-library/mysql#161, MariaDB/mariadb-docker#59, docker-library/percona#21, docker-library/ghost#54, docker-library/postgres#253, docker-library/redmine#136.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@ncopa @tianon @hason @bchallenor @dbjpanda