Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

rootless execution #13

Open
cvengler opened this issue Nov 29, 2022 · 3 comments
Open

rootless execution #13

cvengler opened this issue Nov 29, 2022 · 3 comments
Labels
enhancement New feature or request

Comments

@cvengler
Copy link
Member

As far as I know, we only require root privileges for the cgroup part. It would be awesome if these privileges could be dropped somehow in order to avoid an escalation. The traditional UNIX approach would be a call to setresuid(2) and setresgid(2), although the Linux capabilities feature may look promising as well.

@cvengler cvengler added the enhancement New feature or request label Nov 29, 2022
@cvengler
Copy link
Member Author

cvengler commented Nov 29, 2022

My current investigation is, that we probably do not even need any sort of capabilities. We just need to "downgrade" the root user to a normal one (in terms of capabilities), because the a DAC override is not required (because the root cgorup is owned by the root user anyway).

Well, but that wouldn't be rootless execution. It would be a less root one 😋

@sevenautumns
Copy link
Collaborator

sevenautumns commented Nov 30, 2022

Rootless execution should already be achievable through systemd-run --user --scope instead of sudo

@dadada
Copy link
Collaborator

dadada commented Jan 16, 2023

The binary is not setuid. Unless anyone runs it with root (not recommended), this should not be an issue. But we should probably drop capabilities that we don't need, even within the user-slice.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

3 participants