su -c doesn't make the shell stay around

[jakub-bochenski]

On my machine when I run the README example I get:

$ docker run -it --rm alpine:edge su postgres -c 'ps aux'
Unable to find image 'alpine:edge' locally
edge: Pulling from library/alpine
ba7f5deea89d: Pull complete 
Digest: sha256:72fac243935dc4398718b67c2469eafa6ccdca0c6af3ae365d5bba92400c69cd
Status: Downloaded newer image for alpine:edge
PID   USER     TIME  COMMAND
    1 postgres  0:00 ps aux

[tianon]

That's probably because su in Alpine is provided by Busybox, whereas in Debian it's part of https://packages.debian.org/stretch/login (and likely has slightly different behavior, as you've discovered).

If Busybox's su package provides what you need out of the box, then you're probably fine using it instead (although su-exec has a more narrow "feature" focus, FWIW).

[jakub-bochenski]

@tianon sure, but that's a bit confusing.
Maybe you would consider updating the docs to use debian:stretch there or whatever actually shows the desired result?

[jakub-bochenski]

Unfortunately there seems to be no other user available out of the box in debian:stretch

docker run -it --rm debian:stretch su postgres -c 'ps aux'
Unable to find image 'debian:stretch' locally
stretch: Pulling from library/debian
cd8eada9c7bb: Pull complete 
Digest: sha256:58a80e0b6aa4d960ee2a5452b0230c406c47ed30a66555ba753c8e1710a434f5
Status: Downloaded newer image for debian:stretch
No passwd entry for user 'postgres'

[jakub-bochenski]

It does work like this in postgress image, but it has a custom entrypoint so I'm not sure if it shows anything:

$ docker run -it --rm postgres:11 su postgres -c 'ps aux'
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.0  48536  3076 pts/0    Ss+  12:00   0:00 su postgres -c 
postgres     8  0.0  0.0  38312  3292 ?        Rs   12:00   0:00 ps aux

[tianon]

This one isn't my repo (just trying to help out) 😅

The debian image has a few users by default (see /etc/passwd for a full list); I typically use nobody for tests.

[jakub-bochenski]

This one isn't my repo (just trying to help out) 😅

I know. Thanks for doing gosu BTW!

The debian image has a few users by default (see /etc/passwd for a full list); I typically use nobody for tests.

It seems nobody has a different shell configured than /bin/sh -- wouldn't that be a factor?

[tianon]

Dunno, possibly? I'm not sure exactly how su is expected to work, but I know su-exec and gosu ignore a user's configured shell as a core design feature (it's out of scope for simply running X thing as Y user).

[jakub-bochenski]

Well apparently Debian su doesn't ignore the shell, which is /usr/sbin/nologin in this case

$ docker run -it --rm debian:stretch  su nobody -c 'ps aux'
This account is currently not available.

[ncopa]

This is a problem in busybox su, not su-exec. Ironically, this also means that busybox su does exactly what su-exec does so there is no need for su-exec in Alpine (unless they fix busybox su).

This should be followed up in busybox bug tracker: https://bugs.busybox.net/show_bug.cgi?id=9401

Meanwhile, you can workaround it in alpine by using su from shadowpackage:

$ docker run -it --rm alpine:edge sh -c "apk add --no-cache shadow && su postgres -c 'ps aux'"
fetch http://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz
(1/2) Installing linux-pam (1.3.0-r0)
(2/2) Installing shadow (4.5-r0)
Executing busybox-1.28.4-r2.trigger
OK: 7 MiB in 15 packages
PID   USER     TIME  COMMAND
    1 root      0:00 su postgres -c ps aux
    9 postgres  0:00 ps aux

[jakub-bochenski]

@ncopa This issue is about su-exec README. If you run the example from https://github.com/ncopa/su-exec#tty--parentchild-handling it will give you different results that what is shown there.

I would just send you a PR updating the docs, but I can't find a suitable image for this.