gosu issue with the 'setuid' bit set

tianon / gosu

Simple Go-based setuid+setgid+setgroups+exec

Apache License 2.0

4.68k stars 312 forks source link

gosu issue with the 'setuid' bit set #133

Closed majid-akbari closed 11 months ago

majid-akbari commented 11 months ago

When using gosu in debian12 it returns this error: "gosu" appears to be installed with the 'setuid' bit set I need to run a command like gosu root postgres start in docker entrypoint.

tianon commented 11 months ago

This is the reverse problem of the one gosu was designed to solve, and really isn't officially supported (privilege escalation vs de-escalation). I would recommend sudo for that use case, since it has actual authentication controls (unlike gosu; again, solving different problems).

majid-akbari commented 11 months ago

Yes, and it is against Docker best practices : ) https://docs.docker.com/develop/develop-images/dockerfile_best-practices/

yosifkit commented 11 months ago

If you absolutely need functionality similar to sudo, such as initializing the daemon as root but running it as non-root, consider using gosu.

- https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#user

Note the example that it gives of when to use gosu. gosu is for stepping down from root, not for stepping up to root. If you absolutely need to run something as root in a container, don't step down in the first place (and then use gosu when you are done with root things).

huapox commented 1 week ago

with this

chmod u+s /usr/bin/gosu
pciapp@d92314a67613:/usr/local/static/3rd$ gosu -h 
error: "gosu" appears to be installed with the 'setuid' bit set, which is an *extremely* insecure and completely unsupported configuration! (what you want instead is likely 'sudo' or 'su')

#ok with this set
export GOSU_PLEASE_LET_ME_BE_COMPLETELY_INSECURE_I_GET_TO_KEEP_ALL_THE_PIECES="I've seen things you people wouldn't believe. Attack ships on fire off the shoulder of Orion. I watched C-beams glitter in the dark near the Tannhäuser Gate. All those moments will be lost in time, like tears in rain. Time to die."
root@dea3a1fa8039:/app# gosu -h
Usage: gosu user-spec command [args]
   eg: gosu tianon bash
       gosu nobody:root bash -c 'whoami && id'
       gosu 1000:1 id
gosu version: 1.17 (go1.18.2 on linux/amd64; gc)
gosu license: Apache-2.0 (full text at https://github.com/tianon/gosu)

ref https://github.com/tianon/gosu/pull/89/files Disallow installing gosu with setuid@Aug 18, 2021 ref2 https://github.com/tianon/gosu/issues/95

tianon commented 1 week ago

Please, please, please do not run gosu with setuid; I'm really certain it's the wrong tool for what you're trying to accomplish.