How to give a user full root privileges
In EasyOS, you run as the administrator, also known as "root", with the ability to run network-facing apps as non-root, or in containers as "crippled root" or user "spot".
Some apps will object to being run as root, putting up a warning message, or requiring a special commandline parameter, or even refusing to run. They will even do this in a container, as they just check that UID == 0 and are not aware that it is a "cripple root" environment.
VLC media player is the only app I know of that tries to detect if running in a container and if so will allow to run as root. I say "tries" because it only detects two or three mainstream containers; I recall Docker was one of them. Unfortunately, it does not know about EasyContainers, so aborts -- we have to patch VLC to not abort when run as root.
For sometime I have had in the back of my mind to run non-root in EasyOS, non-root with full root privileges. This can be done with Linux Capabilities; though this only became feasible with the 4.3 kernel, which introduced "ambient capabilities".
I had in mind to use user "zeus" for this. User zeus is already in EasyOS, and has the same password as root -- which is the same password you enter at bootup to unencrypt the encrypted folders. Zeus is a god from Greek mythology, the sender of thunder, lightning, rain and winds. An apt name for a user with super-user capabilities!
My thinking on exactly how to elevate user zeus to administrator privileges was a little murky, and I would like to thank JP Sugarbread who clarified it for me:
This is also a useful reference:
https://man7.org/linux/man-pages/man3/cap_from_text.3.html
I have a file 'testfile' owner:group is "root:root" and permissions are "600" -- meaning that only the root user can read it. User zeus cannot:
# su zeus -c "cat testfile"
cat: testfile: Permission denied
However, we can use the 'capsh' utility to change to user zeus, yet keep root privileges, as confirmed by this, which prints capabilities after changing to user zeus:
# capsh --keep=1 --user=zeus --inh=all --addamb=all == --print
...lots of stuff printed
To confirm that it has really change to user zeus:
# capsh --keep=1 --user=zeus --inh=all --addamb=all -- -c whoami
zeus
And has a new UID:
# capsh --keep=1 --user=zeus --inh=all --addamb=all -- -c id
uid=100(zeus) gid=109(zeus) groups=109(zeus),109(zeus),121(rtkit)
Now for the big test:
# capsh --keep=1 --user=zeus --inh=all --addamb=all -- -c "cat testfile"
this is a root:root file with 600 perms.
...yay!
My intention is that capsh will be run in the initrd, when perform the 'switch_root' onto the layered filesystem. There may be some side-effects; to use a military term, there may be "collateral damage". Some scripts test if running as root, and make a decision based on that, so may need to be fixed.
Thinking what other problems might arise... encrypted folders are
accessed on a per-user basis, setup for root in the initrd. zeus
will likely need to have home folder set to /root. Probably more
problems will be found.
Due to some weirdness that might occur, I intended to release the last EasyOS running as root, then no releases for awhile as I (hopefully) get running as zeus fully functional. That was going to be version 4.4.1, but then 4.4.2 got released, then there were a couple of fixes, so will have to bring out 4.4.3.
So will probably release 4.4.3 tomorrow, then nothing for
awhile.
Tags: easy