site
contact
newsEasy Containers run as user zeus
October 09, 2018 —
BarryK
In Easy, containers are run as "crippled root", which does seem
pretty secure. However, for the paranoid, there is now a checkbox to run
as user 'zeus' in a container:
Yesterday I speculated how to drop down to root in a container:
http://bkhome.org/news/201810/kernel-41474-enabled-user-namespaces.html
However, ended up doing it like this:
# pflask --mount=bind:/mnt/sdc2/home/shared:/shared-folder --keepenv --mount=bind:/tmp/.X11-unix/X0:/tmp/.X11-unix/X0 \...this is an example invocation. The "su zeus" is executed after the chroot.
--no-ipcns --netif --mount=bind:/dev/snd:/dev/snd --caps=all,-sys_admin,-sys_boot,-sys_chroot,-sys_ptrace,-sys_time,\
-sys_tty_config,-chown,-kill,-dac_override,-dac_read_search,-fowner,-setfcap,-setpcap,-net_admin,-mknod,-sys_module,\
-sys_nice,-sys_resource --no-userns --chroot=/mnt/sdc2/containers/sh0/container -- su zeus /ec-run sh0 sakura
There are some issues to sort out. The above example, running the 'sakura' terminal emulator, works, however, some other apps don't. For example, I can launch 'audacious' (music player) from the sakura terminal in container, however, trying to run it directly, get an error message "Required key not available". Even running audacious from sakura, there are warning messages, as it is trying to write to /root/.config -- so, things to sort out.
EDIT 2018-10-09
Ah, the "Required key not available" error was because I tried to run as user zeus in an already-existing audacious container. The 'user zeus' checkbox has to be ticked when first creating the container.
Now, audacious runs, but no sound -- so there are still issues! -- my guess would be /dev/snd permissions -- it is a slippery slope when we get into running non-root.
Tags: easy