live-bootstrap icon indicating copy to clipboard operation
live-bootstrap copied to clipboard

Published 20 hours ago verified publisher icon fosslinux

Make it possible to run without sudo

Open siraben opened this issue 4 years ago • 7 comments

I'm testing on a Docker image running NixOS which does not have sudo installed, but even if I do have it, since /etc/sudoers doesn't exist, sudo fails:

Mounting tmpfs on ./temp
sudo: unable to stat /etc/sudoers: No such file or directory
sudo: no valid sudoers sources found, quitting
sudo: unable to initialize policy plugin
Bootstrapping failed
Unmounting tmpfs from ./temp
sudo: unable to stat /etc/sudoers: No such file or directory
sudo: no valid sudoers sources found, quitting
sudo: unable to initialize policy plugin
Bootstrapping failed
Exception ignored in: <function SysA.__del__ at 0x7fa8a057fca0>
Traceback (most recent call last):
  File "/root/live-bootstrap/sysa.py", line 39, in __del__
    umount(self.tmp_dir)
  File "/root/live-bootstrap/lib/utils.py", line 34, in umount
    run('sudo', 'umount', target, **kwargs)
  File "/root/live-bootstrap/lib/utils.py", line 26, in run
    sys.exit(1)
SystemExit: 1

To reproduce:

$ docker run --rm -it lnl7/nix
bash-4.4# nix-shell -p git sudo
[nix-shell:/]# cd ~ && git clone --recursive https://github.com/fosslinux/live-bootstrap && cd live-bootstrap
[nix-shell:~/live-bootstrap]# nix-shell -I nixpkgs=channel:nixpkgs-unstable -p python3 python38Packages.requests qemu linuxPackages_4_4.kernel --run 'python3 ./rootfs.py --chroot --force_timestamps --tmpdir ./temp'

siraben avatar Jun 01 '21 06:06 siraben

I guess you are root in that docker image, so you don't need sudo to get root privileges. And as I found live-bootstrap doesn't use any options for sudo, so as a workaround for live-bootstrap calling some stuff with sudo creating a small script named sudo somewhere in PATH (e.g. /bin) should work

#!/bin/sh
exec "$@"

nimaje avatar Jun 02 '21 07:06 nimaje

@nimaje something that could be done on live-bootstrap side is commands are only prefixed with sudo if os.geteuid() != 0

nanonyme avatar Jan 02 '22 20:01 nanonyme

its quite easy to chroot without sudo using user namespaces on linux.

andrewchambers avatar May 03 '22 11:05 andrewchambers

That's not really the problem here. This issue is about that root is not necessarily allowed to use sudo in all images and simply omitting sudo prefix fixes things.

nanonyme avatar May 03 '22 16:05 nanonyme

And yes, that sudo shim documented above also fixes things. It's not an out-of-the-box solution though.

nanonyme avatar May 03 '22 16:05 nanonyme

A rootless bootstrap mode that makes use of the bwrap utility was merged in https://github.com/fosslinux/live-bootstrap/pull/175.

If user namespaces are supported by your kernel (and bwrap is built with support for user namespaces), it shouldn't require sudo, SUID or any elevated permissions. The root user can use it as well without requiring sudo.

doraskayo avatar May 28 '22 16:05 doraskayo

This is partially fixed by bwrap but I still think this

something that could be done on live-bootstrap side is commands are only prefixed with sudo if os.geteuid() != 0

is a good idea

fosslinux avatar May 28 '22 23:05 fosslinux