s6 container - run as user #425

paspo · 2024-06-18T19:15:12Z

running hbbs and hbbr as a simple user is indeed a good idea.

We can do this in 2 way:
1 - run s6 as root and run the services as a normal user
2 - run the whole container as an unprivileged user

The advantage of the first solution is that we can define 2 ENV variables (PGID and PUID) and define user and group ID to use to run the binaries, the downside is that the s6 part of the container is still running as root.

/data # ps aux
PID   USER     TIME  COMMAND
    1 root      0:00 /package/admin/s6/command/s6-svscan -d4 -- /run/service
   17 root      0:00 s6-supervise s6-linux-init-shutdownd
   18 root      0:00 /package/admin/s6-linux-init/command/s6-linux-init-shutdownd -d3 -c /run/s6/basedir -g 3000 -C -B
   26 root      0:00 s6-supervise s6rc-oneshot-runner
   27 root      0:00 s6-supervise s6rc-fdholder
   28 root      0:00 s6-supervise hbbr
   29 root      0:00 s6-supervise hbbs
   35 root      0:00 /package/admin/s6/command/s6-ipcserverd -1 -- /package/admin/s6/command/s6-ipcserver-access -v0 -E -l0 -i data/rules -- /package/admin/s6/command/s6-sudod -t 30000 -- /package/admin/s6-rc/command/s6-rc-one
   67 rustdesk  0:00 /usr/bin/hbbr
   72 rustdesk  0:00 /usr/bin/hbbs -r relay.example.com
  118 root      0:00 sh
  124 root      0:00 ps aux

The advantage of the second solution is obvious: everything is run with user privileges.

~ $ ps aux
PID   USER     TIME  COMMAND
    1 rustdesk  0:00 /package/admin/s6/command/s6-svscan -d4 -- /run/service
   21 rustdesk  0:00 s6-supervise s6-linux-init-shutdownd
   23 rustdesk  0:00 /package/admin/s6-linux-init/command/s6-linux-init-shutdownd -d3 -c /run/s6/basedir -g 3000 -C -B
   30 rustdesk  0:00 s6-supervise s6rc-oneshot-runner
   31 rustdesk  0:00 s6-supervise s6rc-fdholder
   32 rustdesk  0:00 s6-supervise hbbr
   33 rustdesk  0:00 s6-supervise hbbs
   39 rustdesk  0:00 /package/admin/s6/command/s6-ipcserverd -1 -- /package/admin/s6/command/s6-ipcserver-access -v0 -E -l0 -i data/rules -- /package/admin/s6/command/s6-sudod -t 30000 -- /package/admin/s6-rc/command/s6-rc-one
   63 rustdesk  0:00 sh ./run hbbr
   69 rustdesk  0:00 sh ./run hbbs
   73 rustdesk  0:00 /usr/bin/hbbr
  105 rustdesk  0:00 /usr/bin/hbbs -r relay.example.com
  121 rustdesk  0:00 sh
 1163 rustdesk  0:00 ps aux
~ $ whoami
rustdesk

@rustdesk, your opinion?

paspo and others added 4 commits June 18, 2024 09:23

updated S6 overlay version

ffcd1cc

run as unprivileged user

025c4b1

support for running the whole container as a user

fe36a51

Merge branch 'master' into s6-as-user

241d99c

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

s6 container - run as user #425

s6 container - run as user #425

paspo commented Jun 18, 2024

s6 container - run as user #425

Are you sure you want to change the base?

s6 container - run as user #425

Conversation

paspo commented Jun 18, 2024