Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

run root-less? #30

Closed
miekg opened this issue Dec 23, 2020 · 8 comments
Closed

run root-less? #30

miekg opened this issue Dec 23, 2020 · 8 comments

Comments

@miekg
Copy link
Collaborator

miekg commented Dec 23, 2020

Can we run as non-root? Potentially letting systemd doing all the heavy lifting?

Of course being able to send arbitrary unit to systemd is indistinguishable from actually being root... But it might benefit some use cases.

It could very much turn out this is not possbile.
@miekg miekg mentioned this issue Jan 12, 2021
Closed
miekg added a commit that referenced this issue Jan 12, 2021
@miekg
Skip debian package pre-install if not root
0210334 
The if the euid is 0, otherwise skip the installation step (will fail
anyway, but that's a fatal error)

See: #30

Signed-off-by: Miek Gieben <miek@miek.nl>
@miekg miekg mentioned this issue Jan 12, 2021
Merged
miekg added a commit that referenced this issue Jan 13, 2021
@miekg
Skip debian package pre-install if not root (#50)
37ff836 
The if the euid is 0, otherwise skip the installation step (will fail
anyway, but that's a fatal error)

See: #30

Signed-off-by: Miek Gieben <miek@miek.nl>
@miekg
Copy link
Collaborator Author

miekg commented Jan 18, 2021
edited

Chowning a file/directory in Linux needs the CAP_CHOWN capability, so not full root.

I still believe creating system units requires root, but what about user units? If that can be done then we would need a few code changes and only the CAP_CHOWN capability (provided we can create the directories)

Oh user services, require a user to login into the system, https://superuser.com/questions/853717/what-is-the-difference-between-systemds-user-and-system-services
(trying to dig up some more official docs)

@miekg
Copy link
Collaborator Author

miekg commented Jan 18, 2021

Potentially we can run a user systemd regardless - would slightly be more involved, but not rocket science. This would imply we would run all pods using the same user - the user for which we started the systemd user process (i.e. systemk user). Then we're left with only the CAP_CHOWN capability.

Note this also means you can't bind to a low port, etc. etc. So you may not want to this a default, but it would be good to understand that this is very much a possibly in more constrained environments.

@miekg
Copy link
Collaborator Author

miekg commented Jan 18, 2021

hmm, it looks like its just: su $USER systemd --user and changing systemk's init (or whatever) to use the user version (this is a boolean on the API, right now it just defaults to 'use the system one').
This can be a PreExecStart in the service.file that starts systemk, like here: https://github.com/miekg/debian/blob/master/systemk/debian/systemk.service
Together with the CAP_CHOWN and systemk's -d flag... that should be it

@miekg
Copy link
Collaborator Author

miekg commented Jan 18, 2021

See #64 for how this would look, still requires capabilities, but those are dealt with outside of this code base (although we can provide an example unit file)

@miekg
Copy link
Collaborator Author

miekg commented Feb 2, 2021

see #86 it cannot be done.

@miekg miekg closed this as completed Feb 2, 2021
@erwbgy
Copy link

erwbgy commented Feb 11, 2021

If the issue is with BindPaths not working, do any of the parameters mentioned in "Automatic creation of directories for a service" at https://www.redhat.com/sysadmin/systemd-secure-services help?

@miekg
Copy link
Collaborator Author

miekg commented Feb 17, 2021

cc @nicollet

@miekg
Copy link
Collaborator Author

miekg commented Feb 17, 2021

@erwbgy sadly no, not for this use case. Note that the example in that section also uses sudo

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@erwbgy @miekg