search

rustdesk / rustdesk-server

RustDesk Server Program
https://rustdesk.com/server
GNU Affero General Public License v3.0
6.49k stars 1.36k forks source link

s6 container - run as user #425

Open paspo opened 3 months ago

paspo commented 3 months ago

ref. https://github.com/rustdesk/rustdesk-server/issues/424

running hbbs and hbbr as a simple user is indeed a good idea.

We can do this in 2 way: 1 - run s6 as root and run the services as a normal user 2 - run the whole container as an unprivileged user

The advantage of the first solution is that we can define 2 ENV variables (PGID and PUID) and define user and group ID to use to run the binaries, the downside is that the s6 part of the container is still running as root.

/data # ps aux
PID   USER     TIME  COMMAND
    1 root      0:00 /package/admin/s6/command/s6-svscan -d4 -- /run/service
   17 root      0:00 s6-supervise s6-linux-init-shutdownd
   18 root      0:00 /package/admin/s6-linux-init/command/s6-linux-init-shutdownd -d3 -c /run/s6/basedir -g 3000 -C -B
   26 root      0:00 s6-supervise s6rc-oneshot-runner
   27 root      0:00 s6-supervise s6rc-fdholder
   28 root      0:00 s6-supervise hbbr
   29 root      0:00 s6-supervise hbbs
   35 root      0:00 /package/admin/s6/command/s6-ipcserverd -1 -- /package/admin/s6/command/s6-ipcserver-access -v0 -E -l0 -i data/rules -- /package/admin/s6/command/s6-sudod -t 30000 -- /package/admin/s6-rc/command/s6-rc-one
   67 rustdesk  0:00 /usr/bin/hbbr
   72 rustdesk  0:00 /usr/bin/hbbs -r relay.example.com
  118 root      0:00 sh
  124 root      0:00 ps aux

The advantage of the second solution is obvious: everything is run with user privileges.

~ $ ps aux
PID   USER     TIME  COMMAND
    1 rustdesk  0:00 /package/admin/s6/command/s6-svscan -d4 -- /run/service
   21 rustdesk  0:00 s6-supervise s6-linux-init-shutdownd
   23 rustdesk  0:00 /package/admin/s6-linux-init/command/s6-linux-init-shutdownd -d3 -c /run/s6/basedir -g 3000 -C -B
   30 rustdesk  0:00 s6-supervise s6rc-oneshot-runner
   31 rustdesk  0:00 s6-supervise s6rc-fdholder
   32 rustdesk  0:00 s6-supervise hbbr
   33 rustdesk  0:00 s6-supervise hbbs
   39 rustdesk  0:00 /package/admin/s6/command/s6-ipcserverd -1 -- /package/admin/s6/command/s6-ipcserver-access -v0 -E -l0 -i data/rules -- /package/admin/s6/command/s6-sudod -t 30000 -- /package/admin/s6-rc/command/s6-rc-one
   63 rustdesk  0:00 sh ./run hbbr
   69 rustdesk  0:00 sh ./run hbbs
   73 rustdesk  0:00 /usr/bin/hbbr
  105 rustdesk  0:00 /usr/bin/hbbs -r relay.example.com
  121 rustdesk  0:00 sh
 1163 rustdesk  0:00 ps aux
~ $ whoami
rustdesk

@rustdesk, your opinion?