dgr fails to start even though setuid bit is set

blablacar / dgr

Container build and runtime tool

Apache License 2.0

248 stars 21 forks source link

dgr fails to start even though setuid bit is set #265

Open svvac opened 5 years ago

svvac commented 5 years ago

I installed dgr with exec permissions restricted to a dedicated group and set the setuid bit on the binary, hoping this would spare me the sudo stuff. Even though, dgr fails complaining about needing root.

$ file /usr/bin/dgr
/usr/bin/dgr: setuid ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, no section header

$ ls -al /usr/bin/dgr
-rwsr-xr-- 1 root dgr 21M Nov 27 19:57 /usr/bin/dgr*

PaulGrandperrin commented 5 years ago

I don't see any reference to setuid() or geteuid() in the source code, so I guess that's normal that it doesn't work ;-) It could be added easily through...

svvac commented 5 years ago

Right. If changes are involved, might as well do this the proper way and check for actually required capabilities to run the tool instead of just checking uid=0?

PaulGrandperrin commented 5 years ago

I'm not sure it would be worth the effort to find and check individually for all the required capabilities when most users will just run it as root anyway. Do you have a specific use case in mind?

svvac commented 5 years ago

Well, production use with locked-down permissions. I guest the target is more disposable VM build hosts than uid-namespaced containers?