Skip to content

dietpi-software: replace runuser with setpriv#8119

Merged
MichaIng merged 1 commit into
devfrom
setpriv
Apr 29, 2026
Merged

dietpi-software: replace runuser with setpriv#8119
MichaIng merged 1 commit into
devfrom
setpriv

Conversation

@MichaIng
Copy link
Copy Markdown
Owner

@MichaIng MichaIng commented Apr 28, 2026
edited
Loading

  • runuser preserves the environment, and has no option to reset it without initializing a login shell (which fails for nologin users).

    This solves e.g. the issue that runuser -u user -- uv python install prefers XDG_DATA_HOME over the user's home dir as Python install target. It makes sense from security aspect, too, and setpriv performs faster than runuser, as it skips the PAM session. Call env explicitly to pass specific variables, and --clear-groups by default, or --init-groups if we know that we require a supplemental group, like redis for Nextcloud occ calls.

  • Additionally, this fixes obtaining Synapse dependencies, and updates lxml and pillow dependencies, now available for Python 3.13 on piwheels.

  • Disable mjpg-streamer for Forky, due to incompatibility with its cmake.

  • Replace /bin/touch to trigger x-systemd.automount for EnvironmentFile in systemd units with /bin/test -e. The service user does not always have write permissions, and we do not want to bump the mtime of the file anyway.

  • Add ProtectProc=, NoExecPaths=, and ExecPaths= to workaround for systemd sandboxing with QEMU on Forky.

  • Allow setuid/setgid bits to function inside the container, required for recent Koel to add its cron job.

  • /sbin and /bin are removed from PATH where we set it. All our images are usr-merged, enforeced by Debian since Bookworm.

Test installs: https://github.com/MichaIng/DietPi/actions/runs/25060637144

@MichaIng MichaIng added this to the v10.4 milestone Apr 28, 2026
@MichaIng MichaIng linked an issue Apr 28, 2026 that may be closed by this pull request
DietPi-Software | Failed to reinstall Home Assistant after DietPi update 10.3 #8116
Closed
@MichaIng MichaIng force-pushed the setpriv branch 12 times, most recently from 4ce1446 to 7eed989 Compare April 29, 2026 19:01
@MichaIng MichaIng requested a review from Copilot April 29, 2026 21:17
Copilot AI reviewed Apr 29, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR modernizes DietPi-Software’s privilege dropping to ensure a clean environment when executing commands as service users, addressing install/runtime issues caused by inherited environment variables (notably with uv). It also includes a few targeted fixes for dependency handling and CI/container behavior.

Changes:

  • Replace runuser usages with setpriv ... --reset-env (and --init-groups where supplemental groups are required).
  • Adjust Python dependency handling (Synapse deps fix; update lxml/pillow/piwheels-related logic) and a few install-time command tweaks.
  • Update CI container/emulation handling (binfmt changes for setuid/setgid behavior; additional systemd sandboxing overrides), plus related unit tweaks (touchtest -e).

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File Description
dietpi/dietpi-software Switch command execution to setpriv --reset-env, fix some Python deps handling, and adjust several install/unit snippets accordingly.
CHANGELOG.txt Document the runuser→setpriv change and a couple of related DietPi-Software fixes.
.github/workflows/dietpi-software.bash Update CI emulation/container setup to support setuid/setgid under QEMU and relax/override additional systemd sandboxing knobs.

Comment thread dietpi/dietpi-software Outdated
Comment thread .github/workflows/dietpi-software.bash
@MichaIng
dietpi-software: replace runuser with setpriv
bda825d 
`runuser` preserves the environment, and has no option to reset it without initializing a login shell (which fails for `nologin` users).

This solves e.g. the issue that `runuser -u user -- uv python install` prefers `XDG_DATA_HOME` over the user's home dir as Python install target. It makes sense from security aspect, too, and `setpriv` performs faster than `runuser`, as it skips the PAM session. Call `env` explicitly to pass specific variables, and `--clear-groups` by default, or `--init-groups` if we know that we require a supplemental group, like `redis` for Nextcloud `occ` calls.

Additionally, this fixes obtaining Synapse dependencies, and updates lxml and pillow dependencies, now available for Python 3.13 on piwheels.

Disable mjpg-streamer for Forky, due to incompatibility with its cmake.

Replace `/bin/touch` to trigger `x-systemd.automount` for `EnvironmentFile` in systemd units with `/bin/test -e`. The service user does not always have write permissions, and we do not want to bump the mtime of the file anyway.

Add `ProtectProc=`, `NoExecPaths=`, and `ExecPaths=` to workaround for systemd sandboxing with QEMU on Forky.

Allow setuid/setgid bits to function inside the container, required for recent Koel to add its cron job.

`/sbin` and `/bin` are removed from PATH where we set it. All our images are usr-merged, enforeced by Debian since Bookworm.
@MichaIng MichaIng merged commit e8c35e8 into dev Apr 29, 2026
2 checks passed
@MichaIng MichaIng deleted the setpriv branch April 29, 2026 23:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

Bug 🐞 Enhancement 💨

Projects

None yet

Milestone

v10.4

Development

Successfully merging this pull request may close these issues.

DietPi-Software | Failed to reinstall Home Assistant after DietPi update 10.3

2 participants

@MichaIng