butterfly icon indicating copy to clipboard operation
butterfly copied to clipboard
verified publisher icon paradoxxxzero

Should allow running as non-root

Open wernight opened this issue 9 years ago • 3 comments

The Dockerized image should work as non-root user. For example by adding the docker flag --user 1234.

The main issue in the way is that if non-root (or if no PASSWORD is provided) it shouldn't run chpasswd in https://github.com/sekka1/butterfly/blob/master/docker/run.sh#L12

wernight avatar Oct 25 '16 14:10 wernight

Yeah, maybe it should just create the user. However, if you run in non-root then that user can install anything via apt-get which requires root priv. Then you have to start installing stuff like sudo.

sekka1 avatar Oct 25 '16 15:10 sekka1

I agree. That's why I'm not suggesting to make it the default, but to support it.

For example my image is based on that Docker image and I install some apps in my Dockerfile. Then I don't want to run as root when running it.

Le mar. 25 oct. 2016 à 17:29, sekka1 [email protected] a écrit :

Yeah, maybe it should just create the user. However, if you run in non-root then that user can install anything via apt-get which requires root priv. Then you have to start installing stuff like sudo.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/paradoxxxzero/butterfly/issues/119#issuecomment-256069538, or mute the thread https://github.com/notifications/unsubscribe-auth/AAI5A5ne9XMguKHWvPUfMuTY4X3H0n-0ks5q3iBhgaJpZM4KgEzY .

wernight avatar Oct 25 '16 18:10 wernight

I tested a little more and found that currently it needs an existing user to work. This probably could be improved so it works even if the user doesn't exist (I think currently the user lookup in Python fails).

So the simplest right now to run as non-root is a Dockerfile like:

FROM garland/butterfly
# TODO: (optional) RUN apt-get update && apt-get install -y some-package
RUN useradd --create-home --uid 1234 --shell /bin/bash foo   # note: setting the shell is required
USER 1234

# Bypass the default entrypoint to avoid trying to call `chpasswd`.
ENTRYPOINT ["butterfly.server.py"]
CMD ["--unsecure", "--host=0.0.0.0"]

To make it work for any UID I think the steps are like:

  • Don't chpasswd if no PASSWORD is provided
  • Set HOME to something like /config
  • Make /config writable by everyone mkdir /config && chown go+rwx /config
  • Fix user lookup in Butterfly

wernight avatar Oct 26 '16 08:10 wernight