Skip to content
master
Switch branches/tags
Code

Latest commit

See tianon/gosu@fd60171 and tianon/gosu@f87df69.

The basic problem is that an invalid name like `bogus` will quietly run as `root` instead of being denied entirely (which those test updates look for and this change is verified to fix).

I've run this updated implementation successfully against all of the test cases in https://github.com/tianon/gosu/blob/f87df69c868e19f7258b4facb7c2472d76d98dda/Dockerfile.test.
212b751

Git stats

Files

Permalink
Failed to load latest commit information.

su-exec

switch user and group id, setgroups and exec

Purpose

This is a simple tool that will simply execute a program with different privileges. The program will be exceuted directly and not run as a child, like su and sudo does, which avoids TTY and signal issues (see below).

Notice that su-exec depends on being run by the root user, non-root users do not have permission to change uid/gid.

Usage

su-exec user-spec command [ arguments... ]

user-spec is either a user name (e.g. nobody) or user name and group name separated with colon (e.g. nobody:ftp). Numeric uid/gid values can be used instead of names. Example:

$ su-exec apache:1000 /usr/sbin/httpd -f /opt/www/httpd.conf

TTY & parent/child handling

Notice how su will make ps be a child of a shell while su-exec just executes ps directly.

$ docker run -it --rm alpine:edge su postgres -c 'ps aux'
PID   USER     TIME   COMMAND
    1 postgres   0:00 ash -c ps aux
   12 postgres   0:00 ps aux
$ docker run -it --rm -v $PWD/su-exec:/sbin/su-exec:ro alpine:edge su-exec postgres ps aux
PID   USER     TIME   COMMAND
    1 postgres   0:00 ps aux

Why reinvent gosu?

This does more or less exactly the same thing as gosu but it is only 10kb instead of 1.8MB.