{"id":13463774,"url":"https://github.com/muayyad-alsadi/oneway","last_synced_at":"2026-05-18T14:35:10.465Z","repository":{"id":147752523,"uuid":"67430531","full_name":"muayyad-alsadi/oneway","owner":"muayyad-alsadi","description":"a tool to drop privileges for docker entry-points","archived":false,"fork":false,"pushed_at":"2017-02-24T16:58:41.000Z","size":7,"stargazers_count":5,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-04-07T09:29:33.820Z","etag":null,"topics":["containers","docker","init-system","jail","privileges","security"],"latest_commit_sha":null,"homepage":null,"language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/muayyad-alsadi.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2016-09-05T15:09:36.000Z","updated_at":"2017-09-10T09:37:45.000Z","dependencies_parsed_at":"2023-05-27T10:15:39.872Z","dependency_job_id":null,"html_url":"https://github.com/muayyad-alsadi/oneway","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"purl":"pkg:github/muayyad-alsadi/oneway","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/muayyad-alsadi%2Foneway","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/muayyad-alsadi%2Foneway/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/muayyad-alsadi%2Foneway/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/muayyad-alsadi%2Foneway/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/muayyad-alsadi","download_url":"https://codeload.github.com/muayyad-alsadi/oneway/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/muayyad-alsadi%2Foneway/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33181164,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-18T09:27:30.708Z","status":"ssl_error","status_checked_at":"2026-05-18T09:27:28.300Z","response_time":71,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["containers","docker","init-system","jail","privileges","security"],"created_at":"2024-07-31T14:00:28.330Z","updated_at":"2026-05-18T14:35:10.435Z","avatar_url":"https://github.com/muayyad-alsadi.png","language":"C","funding_links":[],"categories":["Linux"],"sub_categories":[],"readme":"# Oneway - a tool to drop privileges for docker entry-points\n\n## Introduction\n\nIf you want to drop privileges (as in Docker entry-points) but you don't want\nyour process to be child process of `su` or `sudo` process.\n\nUnlike `su` or `sudo` this tool would `exec` to replace the \ncurrent process (so it would receive signals ..etc.)\n\nThis tool can also set special process flags so disallow any future privileges\n\nThis process simply calls\n\n* `setgid` to desired group\n* `setgroups` to set supplementary groups to only desired group\n* `setuid` to desired user\n* `prctl` with `PR_SET_NO_NEW_PRIVS` if -n is passed to disallow future privileges\n\n## Usage\n\n```\noneway [-n|-N] USER COMMAND ARGUMENTS...\n```\n\n* `-n` no new privileges by setting `PR_SET_NO_NEW_PRIVS` with `prctl`\n* `-N` allow new privileges ex. via `su`, `sudo`, `setuid` flag\n\nwe have a `test.sh` which display `id` then it pings google (which is a suid binary)\n\n```\n./oneway -n alsadi ./test.sh\n```\n\ntypically this would give\n\n```\nsetting uid=1000 (alsadi) gid=1000\nuid=1000(alsadi) gid=1000(alsadi) groups=1000(alsadi),10(wheel),135(mock),973(wireshark) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023\nping: socket: Operation not permitted\nping: socket: Operation not permitted\n```\n\n## Installation\n\nTo build it you only need `gcc`\n\n```\nyum install gcc glibc-static\nmake\n```\n\nYou can get binaries directly from our github [releases](https://github.com/muayyad-alsadi/oneway/releases)\n\n\n## Docker usage\n\nIn your `Dockerfile` you might use [Yelp's dumb-init](https://github.com/Yelp/dumb-init)\n\n\n```\nENTRYPOINT [ \"/usr/local/bin/dumb-init\", \"/start.sh\" ]\n```\n\nand in your `start.sh`\n\n```\n# do things as root\nchown ...\nchmod ...\n# run some daemons as root\nnohup /usr/local/bin/confd -watch ... \u003e\u003e /data/logs/out.log\n# run some daemons as user app\nexec oneway -n app /app.sh\n```\n\n## FAQ\n\n* Q: Why is the benitift of this?\n  * drop priviligies in \"oneway\" manner.\n* Q: What is the advantage over `su` / `sudo`\n  * they do not drop priviligies they change user.\n  * `oneway` make use of kernel `PR_SET_NO_NEW_PRIVS`\n  * with `su` / `sudo` one might be able to escelate (ex. using `setuid` binaries)\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmuayyad-alsadi%2Foneway","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmuayyad-alsadi%2Foneway","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmuayyad-alsadi%2Foneway/lists"}