Skip to content

Cross-user status/stop/ssh: re-exec limactl via sudo when Lima dir is owned by another uid #4

Description

@eejd

Tracking issue for the fork patch on branch `feat/multiuser-status-fallback` (merged into `eejd/v0.10.3-macports`).

Problem

`colima status ` (and `stop`, `ssh`) falsely report "not running" when the VM was started by a different user than the caller. Root cause: Lima's process-liveness check can't signal a process owned by another uid (`kill(pid, 0)` -> EPERM across the uid boundary).

Fix

Single choke point: `environment/vm/lima/limautil/limautil.go` `Limactl()` — every `status`/`stop`/`ssh` invocation routes through it. When the Lima instance/state dir is owned by a uid other than the caller's effective uid, re-exec limactl as the owner via `sudo -n -u `, forwarding `LIMA_HOME` explicitly. Opt out via `COLIMA_NO_CROSS_USER`.

Design caveats (open, flagged for anyone picking this up):

  • Requires a NOPASSWD sudoers grant for caller -> owner `limactl`; without it the re-exec fails closed (`sudo -n` errors rather than prompting).
  • This is a colima-layer workaround. The more correct fix may belong in lima-vm/lima's process-liveness check itself (Phase 3, not yet investigated).

Status

  • Patch implemented + unit tested (`limautil_test.go` — same-uid, missing-dir, opt-out cases; a genuine cross-uid case needs root to simulate and is deferred to live validation)
  • `go vet`, `go build` clean
  • PR Re-exec limactl cross-user via sudo when the Lima dir is owned by another uid #2 opened against fork `main` — core Go build/lint checks green
  • Live two-user validation (mandatory before considered done): VM started as one user, `status`/`stop`/`ssh` run as another — pending hive-session handback
  • Investigate whether the robust fix belongs in lima-vm/lima instead
  • Upstream PR to abiosoft/colima (and/or lima-vm/lima)

Cross-refs

  • eejd/macports-ports-local#162
  • eejd/macports-ports-local#169 (port repoint)
  • hive ecosystem: eejd/hive#7

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions