Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/muayyad-alsadi/oneway
a tool to drop privileges for docker entry-points
https://github.com/muayyad-alsadi/oneway
containers docker init-system jail privileges security
Last synced: 2 months ago
JSON representation
a tool to drop privileges for docker entry-points
- Host: GitHub
- URL: https://github.com/muayyad-alsadi/oneway
- Owner: muayyad-alsadi
- Created: 2016-09-05T15:09:36.000Z (over 8 years ago)
- Default Branch: master
- Last Pushed: 2017-02-24T16:58:41.000Z (almost 8 years ago)
- Last Synced: 2024-07-31T14:01:07.610Z (5 months ago)
- Topics: containers, docker, init-system, jail, privileges, security
- Language: C
- Size: 6.84 KB
- Stars: 5
- Watchers: 3
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- awesome-jordan - oneway - a no-way-back tool to drop privileges useful for docker entry-points (Linux)
README
# Oneway - a tool to drop privileges for docker entry-points
## Introduction
If you want to drop privileges (as in Docker entry-points) but you don't want
your process to be child process of `su` or `sudo` process.Unlike `su` or `sudo` this tool would `exec` to replace the
current process (so it would receive signals ..etc.)This tool can also set special process flags so disallow any future privileges
This process simply calls
* `setgid` to desired group
* `setgroups` to set supplementary groups to only desired group
* `setuid` to desired user
* `prctl` with `PR_SET_NO_NEW_PRIVS` if -n is passed to disallow future privileges## Usage
```
oneway [-n|-N] USER COMMAND ARGUMENTS...
```* `-n` no new privileges by setting `PR_SET_NO_NEW_PRIVS` with `prctl`
* `-N` allow new privileges ex. via `su`, `sudo`, `setuid` flagwe have a `test.sh` which display `id` then it pings google (which is a suid binary)
```
./oneway -n alsadi ./test.sh
```typically this would give
```
setting uid=1000 (alsadi) gid=1000
uid=1000(alsadi) gid=1000(alsadi) groups=1000(alsadi),10(wheel),135(mock),973(wireshark) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
ping: socket: Operation not permitted
ping: socket: Operation not permitted
```## Installation
To build it you only need `gcc`
```
yum install gcc glibc-static
make
```You can get binaries directly from our github [releases](https://github.com/muayyad-alsadi/oneway/releases)
## Docker usage
In your `Dockerfile` you might use [Yelp's dumb-init](https://github.com/Yelp/dumb-init)
```
ENTRYPOINT [ "/usr/local/bin/dumb-init", "/start.sh" ]
```and in your `start.sh`
```
# do things as root
chown ...
chmod ...
# run some daemons as root
nohup /usr/local/bin/confd -watch ... >> /data/logs/out.log
# run some daemons as user app
exec oneway -n app /app.sh
```## FAQ
* Q: Why is the benitift of this?
* drop priviligies in "oneway" manner.
* Q: What is the advantage over `su` / `sudo`
* they do not drop priviligies they change user.
* `oneway` make use of kernel `PR_SET_NO_NEW_PRIVS`
* with `su` / `sudo` one might be able to escelate (ex. using `setuid` binaries)