site
contact
newsAllow run app non-root in container
Applications in containers run as "crippled root". However, would like to have the extra security of running some of them as their own user. Well, crippled-root is already pretty secure, but running an app non-root aps the ante a bit more.
I posted yesterday about a new menu entry to install Opera web browser:
- Download latest Opera browser — December 11, 2024
On the main desktop, Opera will run as user "opera".
In the "scarthgap" or "daedalus" containers, there is also the menu entry "Download latest Opera"; however, opera will be run as crippled-root. I have now allowed it to run as user "opera" in the container, see github commit:
https://github.com/bkauler/woofq/commit/dfd89765822d6af3e2a08219bdefe64413eae892
It does require the "--no-sandbox" commandline option, as opera cannot create a sandbox. Ditto for other chrome-based apps. This is because inside a secure environment, the container, which is itself a sandbox. There is no need to have a sandbox inside a sandbox.
Running apps as their own user is still useful in a container, as
it isolates the apps from each other. For example, opera has a
private folder, /files/apps/opera, that other apps running
non-root cannot even see into.
Tags: easy