site  contact  subhomenews

How to give a user full root privileges

October 22, 2022 — BarryK

In EasyOS, you run as the administrator, also known as "root", with the ability to run network-facing apps as non-root, or in containers as "crippled root" or user "spot".

Some apps will object to being run as root, putting up a warning message, or requiring a special commandline parameter, or even refusing to run. They will even do this in a container, as they just check that UID == 0 and are not aware that it is a "cripple root" environment.

VLC media player is the only app I know of that tries to detect if running in a container and if so will allow to run as root. I say "tries" because it only detects two or three mainstream containers; I recall Docker was one of them. Unfortunately, it does not know about EasyContainers, so aborts -- we have to patch VLC to not abort when run as root.

For sometime I have had in the back of my mind to run non-root in EasyOS, non-root with full root privileges. This can be done with Linux Capabilities; though this only became feasible with the 4.3 kernel, which introduced "ambient capabilities".

I had in mind to use user "zeus" for this. User zeus is already in EasyOS, and has the same password as root -- which is the same password you enter at bootup to unencrypt the encrypted folders. Zeus is a god from Greek mythology, the sender of thunder, lightning, rain and winds. An apt name for a user with super-user capabilities!

My thinking on exactly how to elevate user zeus to administrator privileges was a little murky, and I would like to thank JP Sugarbread who clarified it for me:

https://unix.stackexchange.com/questions/196483/how-do-i-use-capsh-i-am-trying-to-run-an-unprivileged-ping-with-minimal-capabi

This is also a useful reference:

https://man7.org/linux/man-pages/man3/cap_from_text.3.html

I have a file 'testfile' owner:group is "root:root" and permissions are "600" -- meaning that only the root user can read it. User zeus cannot:

# su zeus -c "cat testfile"
cat: testfile: Permission denied

However, we can use the 'capsh' utility to change to user zeus, yet keep root privileges, as confirmed by this, which prints capabilities after changing to user zeus:

# capsh --keep=1 --user=zeus --inh=all --addamb=all == --print
...lots of stuff printed

To confirm that it has really change to user zeus:

# capsh --keep=1 --user=zeus --inh=all --addamb=all -- -c whoami
zeus

And has a new UID:

# capsh --keep=1 --user=zeus --inh=all --addamb=all -- -c id
uid=100(zeus) gid=109(zeus) groups=109(zeus),109(zeus),121(rtkit)

Now for the big test:

# capsh --keep=1 --user=zeus --inh=all --addamb=all -- -c "cat testfile"
this is a root:root file with 600 perms.

...yay!

My intention is that capsh will be run in the initrd, when perform the 'switch_root' onto the layered filesystem. There may be some side-effects; to use a military term, there may be "collateral damage". Some scripts test if running as root, and make a decision based on that, so may need to be fixed.

Thinking what other problems might arise... encrypted folders are accessed on a per-user basis, setup for root in the initrd. zeus will likely need to have home folder set to /root. Probably more problems will be found.

Due to some weirdness that might occur, I intended to release the last EasyOS running as root, then no releases for awhile as I (hopefully) get running as zeus fully functional. That was going to be version 4.4.1, but then 4.4.2 got released, then there were a couple of fixes, so will have to bring out 4.4.3.

So will probably release 4.4.3 tomorrow, then nothing for awhile.    

Tags: easy