Closed Baldomo closed 3 years ago
Hi @Baldomo,
the setgid is needed to run docker containers without the need for being root. Kathará is intended to be executed even on shared computers (e.g. university labs) where the users don't have root access to the system. If the users account is put in the docker group it will be possible to execute a privilege escalation.
if you start Kathará from a terminal I understand that it works (you've been able to run kathara check
) and Kathará is intended to be executed only from a terminal. I don't understand why you would execute it from GTK (I'm quite sure, even removing the setgid flag, it doesn't do anything).
Could you please share further information about what you are trying to achieve?
Okay I totally get it now! Thank you for explaining the reason behind setuid
. The whole "GTK refusing to start with setgid" thing only happens in GTK-based terminal emulators, such as the one integrated in vscodium/vscode (and others). It wasn't working on xfce4-terminal either but I did a clean install and now it works great on there, in hind sight I should have tried even more terminal emulators. Still, I think this particular edge case should be stored as a warning somewhere like the wiki, so anyone else who comes across it does not report it as a bug.
Edit: GTK errors out only when the terminal in vscode is set to "integrated"
Hi @Baldomo
so from what I understand from your edit, there is still a way to still execute Kathará inside vscode??
In next days I'll test your issue and put it in the wiki, thanks for the suggestion.
Yes, Kathara works fine on my system when this specific setting is set to "external" like so
I haven't noticed any other bugs or errors so far inside vscode's terminal
I still get this error when I want to set the "terminal emulator to be used " setting to GTK-based ones (e.g: tilix, gnome-terminal).
Describe the bug GTK+ refuses to start Kathara because of its use of
setuid
/setgid
. This does not happen with all the CLI commands but only with the ones which require interaction with docker, or so it seems.In my humble and uninvolved opinion, the complete removal of any
setuid
usage on Linux (or on Arch based distros at least) should be considered, as explained by the GNOME authors in the article linked below (here for convenience). This would simplify the build process by a considerable amount and avoid a possible point of failure. I also have to note that the Docker documentation itself recommends user be added to thedocker
group for rootless usage. Furthermore,setuid
in Kathara will eventually be excessive when Docker enables rootless mode as default (podman is a great example of a fully working container environment which doesn't need root at all). Please correct my argument if you feel it's wrong or I'm missing key informations.To Reproduce Steps to reproduce the behavior:
Linux-Pkg
kathara lstart
Expected behavior Kathara works as intended.
Output
The URL in the command output links to a removed page, now at https://www.gtk.org/pages/setuid.html
"check" Command Output