Allow RunAs with root user

[jackdcasey]

Hello!

My organization has been experimenting with SSM, I really love it so far!

One snag we ran into, is we wanted to use RunAs with the root user. Unfortunately, this user has UID as 0 and GID as 0, preventing us from logging in. For reference, here's the error:

ERROR [execute @ shell.go.157] [ssm-session-worker] [first.last@company.com-1234...] [DataBackend] [pluginName=Standard_Stream] Unable to start shell: invalid uid and gid

We found this to be the culprit: https://github.com/aws/amazon-ssm-agent/blob/master/agent/session/shell/shell_unix.go#L215-L220

    if uid > 0 && gid > 0 {
        return uint32(uid), uint32(gid), groupIds, nil
    }

    return 0, 0, nil, errors.New("invalid uid and gid")

Is this done intentionally? If not, I've opened the following WIP PR to allow 0 as a valid GID / UID 😄

https://github.com/aws/amazon-ssm-agent/pull/317

If there is interest in merging this change, I will perform more testing / validation before removing the WIP status 🚀

Thanks!

[danr-amz]

Thank you for submitting this. We are investigating whether or not this is a viable option.

[ferkhat-aws]

The Session Manager logs in with a default user named ssm-user which has root/admin privilages. Can this user serve your use case/cases instead?

[jackdcasey]

@ferkhat-amz Thank you for getting back! In our specific case, we ended up going with custom Documents with a specific RunAs user configured. This works totally fine for our use!

Although, as a quality of life thing, it would have been great to allow direct login as root. Not a dealbreaker, as we only needed to configure sudoers for a user, then run sudo -i to get into root. Overall this would only save a few seconds, so it's not the end of the world 😄

[nitikaaws]

Thanks for your feedback, we have noted this request.