{"id":13416603,"url":"https://github.com/subuser-security/subuser","last_synced_at":"2026-03-17T20:35:53.325Z","repository":{"id":13977741,"uuid":"16678519","full_name":"subuser-security/subuser","owner":"subuser-security","description":"Run programs on linux with selectively restricted permissions.","archived":false,"fork":false,"pushed_at":"2025-02-23T11:31:31.000Z","size":2436,"stargazers_count":894,"open_issues_count":43,"forks_count":63,"subscribers_count":24,"default_branch":"master","last_synced_at":"2026-03-16T06:05:00.972Z","etag":null,"topics":["containers","docker","python","security"],"latest_commit_sha":null,"homepage":"http://subuser.org","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"lgpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/subuser-security.png","metadata":{"files":{"readme":"README.rst","changelog":null,"contributing":"CONTRIBUTING.rst","funding":null,"license":"COPYING.LGPL","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"docs/security.rst","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2014-02-09T23:17:36.000Z","updated_at":"2026-02-26T09:57:27.000Z","dependencies_parsed_at":"2022-09-21T19:40:17.658Z","dependency_job_id":null,"html_url":"https://github.com/subuser-security/subuser","commit_stats":null,"previous_names":[],"tags_count":20,"template":false,"template_full_name":null,"purl":"pkg:github/subuser-security/subuser","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/subuser-security%2Fsubuser","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/subuser-security%2Fsubuser/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/subuser-security%2Fsubuser/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/subuser-security%2Fsubuser/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/subuser-security","download_url":"https://codeload.github.com/subuser-security/subuser/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/subuser-security%2Fsubuser/sbom","scorecard":{"id":857014,"data":{"date":"2025-08-11","repo":{"name":"github.com/subuser-security/subuser","commit":"b03fdd62631aaaadc3a1b4e66473fba7410e65a8"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":4.6,"checks":[{"name":"Code-Review","score":6,"reason":"Found 10/15 approved changesets -- score normalized to 6","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/ci.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: docs/security.rst:1","Info: Found linked content: docs/security.rst:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: docs/security.rst:1","Info: Found text in security policy: docs/security.rst:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: COPYING.LGPL:0","Info: FSF or OSI recognized license: GNU Lesser General Public License v3.0: COPYING.LGPL:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/subuser-security/subuser/ci.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/subuser-security/subuser/ci.yml/master?enable=pin","Info:   0 out of   2 GitHub-owned GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 25 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-24T00:06:44.558Z","repository_id":13977741,"created_at":"2025-08-24T00:06:44.558Z","updated_at":"2025-08-24T00:06:44.558Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30631361,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-17T17:32:55.572Z","status":"ssl_error","status_checked_at":"2026-03-17T17:32:38.732Z","response_time":56,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["containers","docker","python","security"],"created_at":"2024-07-30T21:01:01.857Z","updated_at":"2026-03-17T20:35:53.306Z","avatar_url":"https://github.com/subuser-security.png","language":"Python","readme":"Subuser - Securing the Linux desktop with Docker\n-------------------------------------------------\n\n.. image:: https://avatars0.githubusercontent.com/u/6707097?s=200\u0026v=4\n   :target: https://subuser.org\n\n`Visit us at subuser.org \u003chttps://subuser.org\u003e`_\n\n.. image:: https://github.com/subuser-security/subuser/workflows/ci/badge.svg?branch=master\n    :target: https://github.com/subuser-security/subuser/actions?query=workflow%3Aci+branch%3Amaster\n\nAs free software developers we like to share.  We surf the web and discover new code.  We are eager to try it out.  We live out an orgy of love and trust, unafraid that some code we cloned from Git might be faulty or malicious.  We live in the 60s, carefree hippies.\n\nThis is utopia.\n\nBut sharing code isn't safe.  Every time we try out some stranger's script, we put ourselves at risk.  Despite the occasional claim that Linux is a secure operating system, haphazardly sharing programs is NOT secure.\n\nFurthermore, the fragmentation of the Linux desktop means that packaging work is needlessly repeated.  Programs that build and run on Fedora must be repackaged for Ubuntu.\n\nSubuser with Docker attacks both problems simultaneously.  Docker provides an isolated and consistent environment for your programs to run in.  Subuser gives your desktop programs access to the resources they need in order to function normally.\n\nSubuser turns Docker containers into normal Linux programs:\n------------------------------------------------------------\n\nRight now I'm editing this file in ``vim``.  ``vim`` is not installed on my computer though.  It is installed in a docker container.  However, in order to edit this file, all I had to do was type::\n\n    $ vim README.md\n\nSubuser turns a Docker container into a normal program.  But this program is not fully privileged.  It can only access the directory from which it was called, `not my entire home dir \u003chttps://xkcd.com/1200/\u003e`_.  Each subuser is assigned a specific set of permissions, just like in Android.  You can see an example ``permissions.json`` file below.\n\n::\n\n    {\n      \"description\"                : \"A web browser.\"\n      ,\"maintainer\"                : \"Timothy Hobbs \u003ctimothyhobbs (at) seznam dot cz\u003e\"\n      ,\"executable\"                : \"/usr/bin/firefox\"\n      ,\"user-dirs\"                 : [ \"Downloads\"]\n      ,\"gui\"                       : {\"clipboard\":true,\"cursors\":true}\n      ,\"sound-card\"                : true\n      ,\"allow-network-access\"      : true\n    }\n\nFor a list of all permissions supported by subuser, please see `the subuser standard \u003chttp://subuser.org/subuser-standard/permissions-dot-json-file-format.html\u003e`_.\n\nInstallation\n------------\n\nSystem Requirements\n--------------------\n\n * `Docker \u003chttp://www.docker.io/gettingstarted/#h_installation\u003e`_ 1.3 or higher\n\n * Python \u003e= 3\n\n * Git\n\n * X11 - X.Org X server - and the xauth utility (You almost certainly have this)\n\n * sudo (if you don't want to become a member of the docker group)\n\nOS Requirements\n---------------\n\n * Linux: Everything supported\n\n * OSX with docker for desktop: Limited support\n\n   * ``inherit-timezone`` is ignored\n   * xpra (graphical apps) doesn't work\n   * Probably other issues \n\nInstall with pip3: Stable version\n--------------------------------\n\n1. Add yourself to the ``sudo`` group (or the ``docker`` group).\n\n   ::\n\n       $ sudo nano /etc/group\n\n   Find ``sudo`` and add your username to the end of the line.\n\n2. Install subuser from pip3.  In a virtual environment if Python 3 is managed by Debian/Ubuntu distribution packaging.\n\n   ::\n\n       $ sudo pip3 install subuser\n\n3. Add ``~/.subuser/bin`` to your path by adding the line ``PATH=$HOME/.subuser/bin:$PATH`` to the end of your ``.bashrc`` file.\n\n   ::\n\n       $ echo -n -e '\\nPATH=$HOME/.subuser/bin:$PATH' \u003e\u003e ~/.bashrc\n\n4. Log out and then back in again.\n\n5. Done!\n\nInstall from git: Development version\n-------------------------------------\n\n1. Add yourself to the ``sudo`` group (this is not necessary if you are already a member of the ``docker`` group).\n\n2. Download the subuser repository::\n\n      $ cd\n      $ git clone https://github.com/subuser-security/subuser\n\n3. Add ``subuser/logic`` and ``~/.subuser/bin`` to your path by adding the line ``PATH=$HOME/subuser/logic:$HOME/.subuser/bin:$PATH`` to the end of your ``.bashrc`` file.\n\n   ::\n\n       $ echo -n -e '\\nPATH=$HOME/subuser/logic:$HOME/.subuser/bin:$PATH' \u003e\u003e ~/.bashrc\n\n   .. note:: You will need to change the path to ``subuser/logic`` to refer to the location to which you downloaded subuser.\n\n4. Log out and then back in again.\n\n5. Done!\n\nTo learn more and read the full manual please visit `subuser.org \u003chttps://subuser.org\u003e`_.\n","funding_links":[],"categories":["Development with Docker","Python","Sandboxes","security"],"sub_categories":["Wrappers"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsubuser-security%2Fsubuser","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsubuser-security%2Fsubuser","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsubuser-security%2Fsubuser/lists"}