setuid: Operation not permitted

[gimler]

system: sles 12 sp5

ENV GOSU_VERSION 1.14
RUN curl -L -o /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-i386"; \
  curl -L -o /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-i386.asc"; \
  export GNUPGHOME="$(mktemp -d)"; \
  gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
  gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
#  gpgconf --kill all; \
  rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
  chmod +x /usr/local/bin/gosu; \
  gosu --version;

# touch file to solve
# cron: can't open or create /run/cron.pid: Permission denied
RUN touch /run/cron.pid; \
    chown wwwrun /run/cron.pid

RUN ( \
    echo '* * * * * date > /proc/1/fd/1 2>&1' \
  ) | crontab -u wwwrun -

CMD ["gosu", "wwwrun", "cron", "-n"]

Error:

setuid: Operation not permitted

How can i run the cron as wwwrun?

[tianon]

I'm really confused why you're doing chmod +s on your binary, especially if your goal is to run it as non-root? Adding the setuid bit to a binary is specifically for running a binary as root all the time.

Also, in your simplified example, gosu is overkill, and you just use USER instead:

...
USER wwwrun
CMD ["cron", "-n"]

If you also run with --security-opt no-new-privileges then the setuid bit will cause an error instead of just silently running as root, which might be useful for you.

For more help, I'd suggest a dedicated support forum, such as the Docker Community Forums, the Docker Community Slack, or Stack Overflow.

[gimler]

@tianon i was try to keep the code snippet as small as possible, sorry i forgot a comment. the +s was only a try to solve the setuid problem.

# chmod u+s to solve
# setuid: Operation not permitted

i have remove this part.

we can not set the user with USER wwwrun because we have some init scripts that must be run on container start with root rights.

So the question is how can we fix the setuid: Operation not permitted error.

[huapox]

with this

chmod u+s /usr/bin/gosu
pciapp@d92314a67613:/usr/local/static/3rd$ gosu -h 
error: "gosu" appears to be installed with the 'setuid' bit set, which is an *extremely* insecure and completely unsupported configuration! (what you want instead is likely 'sudo' or 'su')

#ok with this set
export GOSU_PLEASE_LET_ME_BE_COMPLETELY_INSECURE_I_GET_TO_KEEP_ALL_THE_PIECES="I've seen things you people wouldn't believe. Attack ships on fire off the shoulder of Orion. I watched C-beams glitter in the dark near the Tannhäuser Gate. All those moments will be lost in time, like tears in rain. Time to die."
root@dea3a1fa8039:/app# gosu -h
Usage: gosu user-spec command [args]
   eg: gosu tianon bash
       gosu nobody:root bash -c 'whoami && id'
       gosu 1000:1 id
gosu version: 1.17 (go1.18.2 on linux/amd64; gc)
gosu license: Apache-2.0 (full text at https://github.com/tianon/gosu)

ref Disallow installing gosu with setuid @Aug 18, 2021

[tianon]

Please, please, please do not run gosu with setuid; I'm really certain it's the wrong tool for what you're trying to accomplish.

[huapox]

Please, please, please do not run gosu with setuid; I'm really certain it's the wrong tool for what you're trying to accomplish.

It's a trick in some scene, like:

• 0. first chmod u+s /usr/bin/gosuwith root, or just pre-set with the image.
• 1. we just use a normal user like xxapp for the container in docker/k8s (either with entrypoint and docker/kubectl exec ..)
• 2. we need the root's permission to init some dir or some thing else, @entrypoint.sh: gosu root $cmd
• 3. when entry-pre-steps finished: just gosu root chmod u-s /usr/bin/gosu, then exec /app/bin/start.sh

[tianon]

Honestly, properly and securely configuring sudo is better for that use case. It's literally designed for it.

[tianon]

Another even better answer would be an init container (in k8s).