Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/muayyad-alsadi/oneway

a tool to drop privileges for docker entry-points
https://github.com/muayyad-alsadi/oneway

containers docker init-system jail privileges security

Last synced: 3 months ago
JSON representation

a tool to drop privileges for docker entry-points

Host: GitHub
URL: https://github.com/muayyad-alsadi/oneway
Owner: muayyad-alsadi
Created: 2016-09-05T15:09:36.000Z (over 8 years ago)
Default Branch: master
Last Pushed: 2017-02-24T16:58:41.000Z (almost 8 years ago)
Last Synced: 2024-07-31T14:01:07.610Z (6 months ago)
Topics: containers, docker, init-system, jail, privileges, security
Language: C
Size: 6.84 KB
Stars: 5
Watchers: 3
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

awesome-jordan - oneway - a no-way-back tool to drop privileges useful for docker entry-points (Linux)

README

# Oneway - a tool to drop privileges for docker entry-points

## Introduction

If you want to drop privileges (as in Docker entry-points) but you don't want
your process to be child process of `su` or `sudo` process.

Unlike `su` or `sudo` this tool would `exec` to replace the
current process (so it would receive signals ..etc.)

This tool can also set special process flags so disallow any future privileges

This process simply calls

* `setgid` to desired group
* `setgroups` to set supplementary groups to only desired group
* `setuid` to desired user
* `prctl` with `PR_SET_NO_NEW_PRIVS` if -n is passed to disallow future privileges

## Usage

```
oneway [-n|-N] USER COMMAND ARGUMENTS...
```

* `-n` no new privileges by setting `PR_SET_NO_NEW_PRIVS` with `prctl`
* `-N` allow new privileges ex. via `su`, `sudo`, `setuid` flag

we have a `test.sh` which display `id` then it pings google (which is a suid binary)

```
./oneway -n alsadi ./test.sh
```

typically this would give

```
setting uid=1000 (alsadi) gid=1000
uid=1000(alsadi) gid=1000(alsadi) groups=1000(alsadi),10(wheel),135(mock),973(wireshark) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
ping: socket: Operation not permitted
ping: socket: Operation not permitted
```

## Installation

To build it you only need `gcc`

```
yum install gcc glibc-static
make
```

You can get binaries directly from our github [releases](https://github.com/muayyad-alsadi/oneway/releases)

## Docker usage

In your `Dockerfile` you might use [Yelp's dumb-init](https://github.com/Yelp/dumb-init)

```
ENTRYPOINT [ "/usr/local/bin/dumb-init", "/start.sh" ]
```

and in your `start.sh`

```
# do things as root
chown ...
chmod ...
# run some daemons as root
nohup /usr/local/bin/confd -watch ... >> /data/logs/out.log
# run some daemons as user app
exec oneway -n app /app.sh
```

## FAQ

* Q: Why is the benitift of this?
* drop priviligies in "oneway" manner.
* Q: What is the advantage over `su` / `sudo`
* they do not drop priviligies they change user.
* `oneway` make use of kernel `PR_SET_NO_NEW_PRIVS`
* with `su` / `sudo` one might be able to escelate (ex. using `setuid` binaries)