Skip to content

Commit

Permalink
front: use a setuid wrapper instead of sudo
Browse files Browse the repository at this point in the history
  • Loading branch information
@multun
multun committed Nov 10, 2023
1 parent a9c530a commit 457916e
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 8 deletions.
11 changes: 10 additions & 1 deletion front/docker/Dockerfile.dev
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,16 @@
FROM node:18

# Install dependencies
RUN apt-get update && apt-get install -y xdg-utils sudo
RUN apt-get update -yqq && \
apt-get install -y xdg-utils gcc && \
printf >/exec.c '%s\n' \
'#include <unistd.h>' \
'int main(int argc, char *argv[]) {' \
' return argv[1] ? execvp(argv[1], argv + 1) : 0;' \
'}' && \
gcc -o /exec /exec.c && \
apt-get remove -y gcc && \
apt-get autoremove -y
WORKDIR /app

# Start the app
Expand Down
12 changes: 5 additions & 7 deletions front/docker/dev-entrypoint.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,11 +14,9 @@ new_gid=$(stat -c %g .)
# write cache to, and use numerical group / user IDs

mkdir -p /home/fake_user
chown "${new_uid}:${new_gid}" /home/fake_user
export HOME=/home/fake_user

# n: non interactive
# N: don't update the credentials cache
# E: preserve environment variables
# H: set HOME
exec sudo -nNE -u "#${new_uid}" -g "#${new_gid}" "$@"
chmod 6755 /exec
chown "${new_uid}:${new_gid}" /home/fake_user /exec

export HOME=/home/fake_user
exec /exec "$@"

0 comments on commit 457916e

Please sign in to comment.