search

subuser-security / subuser

Run programs on linux with selectively restricted permissions.
http://subuser.org
GNU Lesser General Public License v3.0
889 stars 65 forks source link

Using x11 and gui permissions at the same time causes 'Duplicate mount point '/tmp/.X11-unix'. ' error. #292

Closed cinterloper closed 7 years ago

cinterloper commented 8 years ago

when the 'gui' section is declared in permissions.json

grant@unit00:~/pkgs$ subuser run intellij
Starting xpra server...
Starting xpra client...
docker: Error response from daemon: Duplicate mount point '/tmp/.X11-unix'.
See 'docker run --help'.
grant@unit00:~/pkgs$ NEW="$(cat intellij/permissions.json | grep -v gui | jq -c .)"#strip gui declarations
grant@unit00:~/pkgs$ cat intellij/permissions.json 
{
 "executable": "/opt/intellij/bin/idea.sh",
 "access-working-directory": true,
 "allow-network-access": true,
 "stateful-home": true,
 "x11": true,
 "gui" : {"system-tray":true,"clipboard":true},
 "maintainer": "grant <grant@iowntheinter.net>"
}
grant@unit00:~/pkgs$ NEW="$(cat intellij/permissions.json | grep -v gui | jq -c .)"
grant@unit00:~/pkgs$ echo $NEW | jq . > intellij/permissions.json 
grant@unit00:~/pkgs$ cat !$
cat intellij/permissions.json
{
  "executable": "/opt/intellij/bin/idea.sh",
  "access-working-directory": true,
  "allow-network-access": true,
  "stateful-home": true,
  "x11": true,
  "maintainer": "grant <grant@iowntheinter.net>"
}
grant@unit00:~/pkgs$ subuser subuser remove intellij
Removing subuser intellij
 If you wish to remove the subusers home directory, issule the command $ rm -r /home/grant/.subuser/homes/intellij
 If you wish to remove the subusers image, issue the command $ subuser remove-old-images
Verifying subuser configuration.
Verifying registry consistency...
Unregistering any non-existant installed images.
Running garbage collector on temporary repositories...
Clearing directory /home/grant/.subuser/volumes/execute
Clearing directory /home/grant/.subuser/volumes/x11
grant@unit00:~/pkgs$ subuser subuser add intellij intellij@./
Adding subuser intellij with image intellij@./
Verifying subuser configuration.
Verifying registry consistency...
Unregistering any non-existant installed images.
intellij: would like to have the following permissions:
 Description:
 Maintainer: grant <grant@iowntheinter.net>
 Executable: /opt/intellij/bin/idea.sh
 Conservative permissions(These are safe):
  - stateful-home: To have its own home directory where it can save files and settings.
 Moderate permissions(These are probably safe):
  - access-working-directory: To access the directory from which it was launched.
  - allow-network-access: To access the network/internet.
 Liberal permissions(These may pose a security risk):
  - x11: To display X11 windows and interact with your X11 server directly(log keypresses, read over your shoulder, steal your passwords, control your computer ect.)
A - Accept and apply changes
E - Apply changes and edit result
r - Reject permissions.
Please select an option:A
Checking if images need to be updated or installed...
Checking if subuser intellij is up to date.
New images for the following subusers need to be installed:
intellij
Installed new image <sha256:506e28b3e058bee9eec9ac2a19efb93a2e2703ead8938fa87f4864f169dfd5f8> for subuser intellij
Running garbage collector on temporary repositories...
Clearing directory /home/grant/.subuser/volumes/execute
Clearing directory /home/grant/.subuser/volumes/x11
grant@unit00:~/pkgs$ 
grant@unit00:~/pkgs$ subuser run intellij #now it works
Jul 24, 2016 1:34:02 AM java.util.prefs.FileSystemPreferences$1 run
INFO: Created user preferences directory.
Jul 24, 2016 1:34:02 AM java.util.prefs.FileSystemPreferences$6 run
WARNING: Prefs file removed in background /home/grant/.java/.userPrefs/prefs.xml
timthelion commented 8 years ago

Thank you for the bug report. The problem is that the x11 and gui permissions are mutually exclusive. Both provide an X11 socket to the intellij subuser. If you set the X11 permission to false, then the gui permissions can be set. I'll try to improve the error message, so that this is clear, in the near future.

On 07/24/16 03:35, Grant Haywood wrote:

when the 'gui' section is declared in permissions.json

grant@unit00:~/pkgs$ subuser run intellij Starting xpra server... Starting xpra client... docker: Error response from daemon: Duplicate mount point '/tmp/.X11-unix'. See 'docker run --help'.

|grant@unit00:~/pkgs$ NEW="$(cat intellij/permissions.json | grep -v gui | jq -c .)" grant@unit00:~/pkgs$ cat intellij/permissions.json { "executable": "/opt/intellij/bin/idea.sh", "access-working-directory": true, "allow-network-access": true, "stateful-home": true, "x11": true, "gui" : {"system-tray":true,"clipboard":true}, "maintainer": "grant grant@iowntheinter.net" } grant@unit00:~/pkgs$ NEW="$(cat intellij/permissions.json | grep -v gui | jq -c .)" grant@unit00:~/pkgs$ echo $NEW | jq . > intellij/permissions.json grant@unit00:~/pkgs$ cat !$ cat intellij/permissions.json { "executable": "/opt/intellij/bin/idea.sh", "access-working-directory": true, "allow-network-access": true, "stateful-home": true, "x11": true, "maintainer": "grant grant@iowntheinter.net" } grant@unit00:~/pkgs$ subuser subuser remove intellij Removing subuser intellij If you wish to remove the subusers home directory, issule the command $ rm -r /home/grant/.subuser/homes/intellij If you wish to remove the subusers image, issue the command $ subuser remove-old-images Verifying subuser configuration. Verifying registry consistency... Unregistering any non-existant installed images. Running garbage collector on temporary repositories... Clearing directory /home/grant/.subuser/volumes/execute Clearing directory /home/grant/.subuser/volumes/x11 grant@unit00:~/pkgs$ subuser subuser add intellij intellij@./ Adding subuser intellij with image intellij@./ Verifying subuser configuration. Verifying registry consistency... Unregistering any non-existant installed images. intellij: would like to have the following permissions: Description: Maintainer: grant grant@iowntheinter.net Executable: /opt/intellij/bin/idea.sh Conservative permissions(These are safe): - stateful-home: To have its own home directory where it can save files and settings. Moderate permissions(These are probably safe): - access-working-directory: To access the directory from which it was launched. - allow-network-access: To access the network/internet. Liberal permissions(These may pose a security risk): - x11: To display X11 windows and interact with your X11 server directly(log keypresses, read over your shoulder, steal your passwords, control your computer ect.) A - Accept and apply changes E - Apply changes and edit result r

  • Reject permissions. Please select an option:A Checking if images need to be updated or installed... Checking if subuser intellij is up to date. New images for the following subusers need to be installed: intellij Installed new image sha256:506e28b3e058bee9eec9ac2a19efb93a2e2703ead8938fa87f4864f169dfd5f8 for subuser intellij Running garbage collector on temporary repositories... Clearing directory /home/grant/.subuser/volumes/execute Clearing directory /home/grant/.subuser/volumes/x11 grant@unit00:~/pkgs$ grant@unit00:~/pkgs$ subuser run intellij #now it works Jul 24, 2016 1:34:02 AM java.util.prefs.FileSystemPreferences$1 run INFO: Created user preferences directory. Jul 24, 2016 1:34:02 AM java.util.prefs.FileSystemPreferences$6 run WARNING: Prefs file removed in background /home/grant/.java/.userPrefs/prefs.xml |

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/subuser-security/subuser/issues/292, or mute the thread https://github.com/notifications/unsubscribe-auth/ABU7-EvmUTdUsHZ1JzdJKx-jYHfHWlhdks5qYsFvgaJpZM4JTez9.

cinterloper commented 8 years ago

Thanks for the tip!

timthelion commented 8 years ago

User unfriendlinesses are bugs.