| 2 |
DENIED
|
moderate
|
App\Entity\EntryComment {#1378
+user: Proxies\__CG__\App\Entity\User {#1371 …}
+entry: App\Entity\Entry {#1832 …}
+magazine: App\Entity\Magazine {#311
+icon: Proxies\__CG__\App\Entity\Image {#292 …}
+name: "linux@lemmy.ml"
+title: "linux"
+description: """
From Wikipedia, the free encyclopedia\n
\n
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n
\n
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n
\n
### Rules\n
\n
- Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n
- No misinformation\n
- No NSFW content\n
- No hate speech, bigotry, etc\n
\n
### Related Communities\n
\n
- [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n
- [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n
- [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n
- [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n
\n
Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/)
"""
+rules: null
+subscriptionsCount: 1
+entryCount: 1406
+entryCommentCount: 28632
+postCount: 6
+postCommentCount: 214
+isAdult: false
+customCss: null
+lastActive: DateTime @1729583542 {#319
date: 2024-10-22 09:52:22.0 +02:00
}
+markedForDeletionAt: null
+tags: null
+moderators: Doctrine\ORM\PersistentCollection {#283 …}
+ownershipRequests: Doctrine\ORM\PersistentCollection {#279 …}
+moderatorRequests: Doctrine\ORM\PersistentCollection {#268 …}
+entries: Doctrine\ORM\PersistentCollection {#226 …}
+posts: Doctrine\ORM\PersistentCollection {#184 …}
+subscriptions: Doctrine\ORM\PersistentCollection {#246 …}
+bans: Doctrine\ORM\PersistentCollection {#163 …}
+reports: Doctrine\ORM\PersistentCollection {#149 …}
+badges: Doctrine\ORM\PersistentCollection {#127 …}
+logs: Doctrine\ORM\PersistentCollection {#117 …}
+awards: Doctrine\ORM\PersistentCollection {#106 …}
+categories: Doctrine\ORM\PersistentCollection {#93 …}
-id: 73
+apId: "linux@lemmy.ml"
+apProfileId: "https://lemmy.ml/c/linux"
+apPublicUrl: "https://lemmy.ml/c/linux"
+apFollowersUrl: "https://lemmy.ml/c/linux/followers"
+apInboxUrl: "https://lemmy.ml/inbox"
+apDomain: "lemmy.ml"
+apPreferredUsername: "linux"
+apDiscoverable: true
+apManuallyApprovesFollowers: null
+privateKey: null
+publicKey: null
+apFetchedAt: DateTime @1729583596 {#320
date: 2024-10-22 09:53:16.0 +02:00
}
+apDeletedAt: null
+apTimeoutAt: null
+visibility: "visible "
+createdAt: DateTimeImmutable @1698929468 {#314
date: 2023-11-02 13:51:08.0 +01:00
}
}
+image: null
+parent: Proxies\__CG__\App\Entity\EntryComment {#2353 …}
+root: Proxies\__CG__\App\Entity\EntryComment {#2451 …}
+body: """
If you can’t run `docker-compose` without `sudo`, there’s something wrong with your setup. The specifics would be specific to your distro, but most likely there’s a user group you could add your user to with `sudo gpasswd -a user group` to make the `docker run` and `docker-compose` commands work without `sudo`. (Might have to log out and back in as well to make it take effect if you’ve ran that command during the current session.) To find the name of the group, you’ll probably have to do some research about your distro in particular. On Arch (insert hate here ;) ), I think the `docker` group does that, and it’s not unlikely that the equivalent group for your distro has the same name.\n
\n
The “magical s” (called the “SUID bit”) shouldn’t be required to be able to run `docker run` and/or `docker-compose` without sudo. Theoretically if you *did* want to do that, you could do it with `sudo chmod u+s /usr/bin/docker`. But again it’s probably better to just add yourself to the proper group (or otherwise take the correct steps for your distro.)\n
\n
But also, running docker-compose (or the `docker run` command more directly) without sudo won’t necessarily make things *inside the docker container* run as your user. Making it do so is a little complex, actually, but I’ll go through it here.\n
\n
So, most Docker images that you’d get from Docker Hub or whatever usually run by default as root. If you do something like `docker run -v /path/to/some/directory/on/your/host:/dir -it python ‘touch /dir/foo’`, even if you’ve got your groups set up to be able to run `docker run` without sudo, it’ll create a file on your host named “foo” *owned by root*. Why? Because inside the container, the `touch /dir/foo` command ran as root.\n
\n
Honestly, I’d be thrilled if Docker had ways to tell it to be smarter about that kind of thing. Something that could make Docker create the file on the host owned by your user rather than root even if inside the container, the command that creates the file runs under the user *in the Docker container* that is root/uid 1.\n
\n
But that’s not how it works. If root inside the container creates the file, the host sees it as owned by root, which makes things a little more of a pain. C’est la vie.\n
\n
Now, this is a bit of an aside, but it helped me understand so I’ll go ahead and include it. It seems impossible that a command run by your user (assuming you’ve got your groups set up correctly) shouldn’t be able to create a file owned by root, right? If without sudo you try to `chown root:root some_file.txt`, it’ll tell you permission denied. And it’s not the `chown` command that’s denying you permission. It’s the Linux kernel telling the `chown` command that that’s not allowed. So how can it be that the `docker run` command can create files owned by root when `docker run` wasn’t run by root, but rather by a more restricted user?\n
\n
Docker has a daemon (called `dockerd`) that by default runs all the time as root, waiting for the `docker` command to direct it to do something. The `docker run` command doesn’t actually *run* the container. It talks to the daemon which is running as root and tells the daemon to start a container. Since it’s the daemon actually running the container and the daemon is running as root, commands inside the container are able to create files owned by root even if the `docker run` command is run by your own user.\n
\n
If you’re wondering, yes this is a security concern. Consider a command like `docker run -it -v /etc:/dir/etc alpine vi /dir/etc/sensitive/file`. That command, theoretically, could for instance allow a non-root user to change the host’s root password.\n
\n
How do you get around that? Well, there are ways to go about running the Docker daemon as a non-root user that I haven’t really looked into.\n
\n
Another concern is if, for instance, you’ve got a web service running as root inside a Docker container with a bind volume to the host and the web app has, for instance, a shell injection vulnerability wherein a user could cause a command to run as root *inside* the docker container which could affect sensitive files *outside.* To mitigate that issue, you could either not bind mount to the host filesystem at all or run the web service in the Docker container as a different user.\n
\n
And there are several ways to go about running a process in Docker as a non-root user.\n
\n
First, some Docker images will already be configured to ensure that what is run inside the container runs as non-root. (When making a Docker image, you specify that by having a `USER` directive in the Dockerfile.) Usually if things are done that way, the user will also be present in the relevent files in `/etc` in the image. But as I mentioned earlier, that’s usually not the case for images on Docker Hub.\n
\n
Next, if you’re using `docker-compose`, there’s a “user” option for setting the user.\n
\n
Another way to do this is with the `-u` argument on the `docker run` command. Something like `docker run -u 1000 -it alpine /bin/sh` will give you a shell process owned by the user with id 1000.\n
\n
Another way is to create the user and su to that user as part of the command passed to `docker run`. I’ve been known sometimes to do things like:\n
\n
```\n
\n
<span style="color:#323232;">docker run \n
</span><span style="color:#323232;">\t-it \n
</span><span style="color:#323232;">\talpine \n
</span><span style="color:#323232;">\tsh -c 'adduser tootsweet ; su tootsweet -c /bin/sh'\n
</span>\n
```\n
\n
The only other thing I can think to mention. Sometimes you want not just to run something in a Docker container not as root but in fact to run it as a user id that matches the user id of a particular user on the host. For instance so that files written to a bind volume end up being owned by the desired user so we can work with the files on the host. I honestly haven’t found the best way to deal with that. Mostly I’ve been dealing with that situation with the last method above. The `useradd` command allows you to add a user with a specific user id. But that’s problematic if the needed uid is already taken by a user in the container. So, so far I’ve kindof just been lucky on that score.\n
\n
Hopefully that all helps!\n
\n
Edit: P.S. apparently the way lemmy.world is set up, you can’t mention certain standard *nix file paths such as `/ e t c / p a s s w d` in posts. The post just isn’t accepted. The “reply” button grays out and the loading graphic spins forever with no error message and the post doesn’t get saved. I’m sure this is a misguided attempt at a security measure, but it definitely affects our ability to communicate about standard Linux kind of stuff.
"""
+lang: "en"
+isAdult: false
+favouriteCount: 1
+score: 0
+lastActive: DateTime @1700689388 {#1602
date: 2023-11-22 22:43:08.0 +01:00
}
+ip: null
+tags: [
"323232"
]
+mentions: [
"@GustavoM@lemmy.world"
"@TootSweet@lemmy.world"
"@PlutoniumAcid@lemmy.world"
]
+children: Doctrine\ORM\PersistentCollection {#2476 …}
+nested: Doctrine\ORM\PersistentCollection {#2355 …}
+votes: Doctrine\ORM\PersistentCollection {#2428 …}
+reports: Doctrine\ORM\PersistentCollection {#2436 …}
+favourites: Doctrine\ORM\PersistentCollection {#2473 …}
+notifications: Doctrine\ORM\PersistentCollection {#1359 …}
-id: 152123
-bodyTs: "'/bin/sh':927,982 '/dir':269 '/dir/etc':652 '/dir/etc/sensitive/file':655 '/dir/foo':273,312 '/etc':651,867 '/path/to/some/directory/on/your/host':268 '/usr/bin/docker':173 '1':377 '1000':924,940 'abil':1205 'abl':145,285,457,614 'accept':1165 'actual':233,571,598 'add':36,182,1088 'addus':977 'affect':759,1203 'ahead':431 'allow':507,662,1085 'alpin':653,926,974 'alreadi':816,1105 'also':198,859 'and/or':150 'anoth':705,904,941 'app':734 'appar':1131 'arch':105 'argument':913 'around':679 'asid':421 'assum':445 'attempt':1195 'back':65 'best':1063 'better':179 'bind':726,771,1037 'bit':138,418 'button':1168 'c':410,976,981,1151 'call':135,543 'case':881 'caus':746 'certain':1142 'chang':669 'chmod':170 'chown':472,487,501 'command':55,79,207,313,361,440,488,502,517,558,568,609,626,645,657,748,918,957,1084 'communic':1207 'complex':232 'compos':8,54,153,202,894 'concern':642,706 'configur':818 'consid':643 'contain':220,309,359,373,389,574,592,601,612,723,756,787,827,1003,1112 'correct':192,453 'could':35,165,339,659,745,758,768 'creat':294,342,363,390,459,519,616,945 'current':82 'd':247,319,1157 'daemon':542,579,588,597,604,691 'deal':1066,1073 'default':257,547 'definit':1202 'deni':481,491 'desir':1045 'differ':790 'direct':209,560,845 'distro':25,101,127,196 'docker':7,49,53,112,148,152,201,205,219,243,250,265,288,323,341,372,515,525,539,557,566,624,647,690,722,755,786,804,813,836,885,893,916,921,960,971,1002 'docker-compos':6,52,151,200,892 'dockerd':544 'dockerfil':848 'doesn':569,1184 'done':853 'e':1149 'earlier':875 'edit':1129 'effect':73 'either':769 'end':1039 'ensur':820 'equival':123 'error':1179 'est':411 'even':274,355,621 'fact':1009 'far':1115 'file':296,344,365,392,461,520,617,761,865,1033,1053,1145 'filesystem':776 'find':85 'first':811 'foo':301 'forev':1176 'found':1061 'get':248,678,1186 'give':929 'go':237,430,686,798 'got':278,448,713 'gpasswd':42 'graphic':1174 'gray':1169 'group':33,45,90,113,124,187,280,450 'hate':107 'haven':700,1059 'help':424,1128 'honest':317,1058 'hope':1125 'host':299,347,394,671,730,775,1028,1056 'hub':251,886 'id':939,1016,1021,1095 'imag':244,814,837,870,883 'imposs':437 'includ':433 'inject':740 'insert':106 'insid':217,307,357,387,610,720,753,825 'instanc':661,710,737,1030 'isn':1163 'issu':766 'kernel':498 'kind':334,1211 'kindof':1118 'known':965 'la':412 'last':1079 'lemmy.world':1134 'like':28,264,646,920,970 'linux':497,1210 'littl':231,405 'll':92,236,293,429,477 'load':1173 'log':62 'look':703 'lucki':1121 'm':1189 'magic':133 'make':47,70,215,225,340,402,834 'match':1018 'measur':1199 'mention':874,991,1141 'messag':1180 'method':1080 'might':59 'misguid':1194 'mitig':764 'most':1069 'mount':772 'name':87,131,300 'necessarili':214 'need':1102 'next':887 'nix':1144 'non':665,695,808,831 'non-root':664,694,807,830 'option':899 'otherwis':189 'outsid':762 'own':302,348,398,462,521,618,934,1042 'p':1152 'p.s':1130 'pain':409 'part':954 'particular':103,1024 'pass':958 'password':674 'path':1146 'permiss':480,493 'post':1159,1161,1183 'present':861 'probabl':93,178 'problemat':1099 'process':802,933 'proper':186 'python':271 'ran':77,314 'rather':352,533 're':635,890 'realli':702 'relev':864 'repli':1167 'requir':142 'research':98 'restrict':537 'right':465 'root':259,304,316,354,386,400,464,473,474,523,531,553,584,608,620,666,673,696,719,752,809,832,1006 'root/uid':376 'run':5,50,147,149,199,206,221,255,266,287,289,366,441,516,526,529,548,567,572,582,599,606,625,628,648,688,717,750,780,800,824,828,917,922,961,972,998,1011 'save':1187 'score':1124 'secur':641,1198 'see':395 'seem':436 'sensit':760 'servic':716,783 'session':83 'set':281,451,901,1136 'setup':17 'sever':795 'sh':975 'shell':739,932 'shouldn':139,454 'sinc':593 'situat':1076 'smarter':331 'some_file.txt':475 'someth':13,263,337,564,919,999 'sometim':966,992 'specif':19,22,1093 'specifi':839 'spin':1175 'standard':1143,1209 'start':590 'step':193 'stuff':1213 'su':949,979 'sudo':10,41,58,155,169,211,291,468 'suid':137 'sure':1190 'take':72,190 'taken':1106 'talk':576 'tell':327,478,499,586 'theoret':156,658 'thing':216,336,403,851,969,986 'think':110,989 'thrill':321 'time':551 'tootsweet':978,980 'touch':272,311 'tri':470 'u':171,912,923 'uid':1103 'understand':426 'unlik':120 'use':891 'user':32,38,44,224,351,369,444,538,632,667,697,744,791,810,844,857,898,903,937,947,952,1015,1020,1025,1046,1090,1094,1109 'useradd':1083 'usual':254,849,878 'v':267,650 've':76,277,447,712,963,1071,1117 'vi':654 'vie':413 'volum':727,1038 'vulner':741 'w':1156 'wait':554 'want':160,994 'wasn':527 'way':325,684,796,855,905,942,1064,1133 'web':715,733,782 'well':68,681 'whatev':253 'wherein':742 'without':9,57,154,210,290,467 'won':212 'wonder':636 'work':56,384,1050 'would':20 'written':1034 'wrong':14 'yes':637"
+ranking: 0
+commentCount: 0
+upVotes: 0
+downVotes: 0
+visibility: "visible "
+apId: "https://lemmy.world/comment/5510619"
+editedAt: DateTimeImmutable @1701177039 {#1969
date: 2023-11-28 14:10:39.0 +01:00
}
+createdAt: DateTimeImmutable @1700689388 {#1399
date: 2023-11-22 22:43:08.0 +01:00
}
} |
| 3 |
DENIED
|
edit
|
App\Entity\EntryComment {#1378
+user: Proxies\__CG__\App\Entity\User {#1371 …}
+entry: App\Entity\Entry {#1832 …}
+magazine: App\Entity\Magazine {#311
+icon: Proxies\__CG__\App\Entity\Image {#292 …}
+name: "linux@lemmy.ml"
+title: "linux"
+description: """
From Wikipedia, the free encyclopedia\n
\n
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n
\n
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n
\n
### Rules\n
\n
- Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n
- No misinformation\n
- No NSFW content\n
- No hate speech, bigotry, etc\n
\n
### Related Communities\n
\n
- [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n
- [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n
- [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n
- [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n
\n
Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/)
"""
+rules: null
+subscriptionsCount: 1
+entryCount: 1406
+entryCommentCount: 28632
+postCount: 6
+postCommentCount: 214
+isAdult: false
+customCss: null
+lastActive: DateTime @1729583542 {#319
date: 2024-10-22 09:52:22.0 +02:00
}
+markedForDeletionAt: null
+tags: null
+moderators: Doctrine\ORM\PersistentCollection {#283 …}
+ownershipRequests: Doctrine\ORM\PersistentCollection {#279 …}
+moderatorRequests: Doctrine\ORM\PersistentCollection {#268 …}
+entries: Doctrine\ORM\PersistentCollection {#226 …}
+posts: Doctrine\ORM\PersistentCollection {#184 …}
+subscriptions: Doctrine\ORM\PersistentCollection {#246 …}
+bans: Doctrine\ORM\PersistentCollection {#163 …}
+reports: Doctrine\ORM\PersistentCollection {#149 …}
+badges: Doctrine\ORM\PersistentCollection {#127 …}
+logs: Doctrine\ORM\PersistentCollection {#117 …}
+awards: Doctrine\ORM\PersistentCollection {#106 …}
+categories: Doctrine\ORM\PersistentCollection {#93 …}
-id: 73
+apId: "linux@lemmy.ml"
+apProfileId: "https://lemmy.ml/c/linux"
+apPublicUrl: "https://lemmy.ml/c/linux"
+apFollowersUrl: "https://lemmy.ml/c/linux/followers"
+apInboxUrl: "https://lemmy.ml/inbox"
+apDomain: "lemmy.ml"
+apPreferredUsername: "linux"
+apDiscoverable: true
+apManuallyApprovesFollowers: null
+privateKey: null
+publicKey: null
+apFetchedAt: DateTime @1729583596 {#320
date: 2024-10-22 09:53:16.0 +02:00
}
+apDeletedAt: null
+apTimeoutAt: null
+visibility: "visible "
+createdAt: DateTimeImmutable @1698929468 {#314
date: 2023-11-02 13:51:08.0 +01:00
}
}
+image: null
+parent: Proxies\__CG__\App\Entity\EntryComment {#2353 …}
+root: Proxies\__CG__\App\Entity\EntryComment {#2451 …}
+body: """
If you can’t run `docker-compose` without `sudo`, there’s something wrong with your setup. The specifics would be specific to your distro, but most likely there’s a user group you could add your user to with `sudo gpasswd -a user group` to make the `docker run` and `docker-compose` commands work without `sudo`. (Might have to log out and back in as well to make it take effect if you’ve ran that command during the current session.) To find the name of the group, you’ll probably have to do some research about your distro in particular. On Arch (insert hate here ;) ), I think the `docker` group does that, and it’s not unlikely that the equivalent group for your distro has the same name.\n
\n
The “magical s” (called the “SUID bit”) shouldn’t be required to be able to run `docker run` and/or `docker-compose` without sudo. Theoretically if you *did* want to do that, you could do it with `sudo chmod u+s /usr/bin/docker`. But again it’s probably better to just add yourself to the proper group (or otherwise take the correct steps for your distro.)\n
\n
But also, running docker-compose (or the `docker run` command more directly) without sudo won’t necessarily make things *inside the docker container* run as your user. Making it do so is a little complex, actually, but I’ll go through it here.\n
\n
So, most Docker images that you’d get from Docker Hub or whatever usually run by default as root. If you do something like `docker run -v /path/to/some/directory/on/your/host:/dir -it python ‘touch /dir/foo’`, even if you’ve got your groups set up to be able to run `docker run` without sudo, it’ll create a file on your host named “foo” *owned by root*. Why? Because inside the container, the `touch /dir/foo` command ran as root.\n
\n
Honestly, I’d be thrilled if Docker had ways to tell it to be smarter about that kind of thing. Something that could make Docker create the file on the host owned by your user rather than root even if inside the container, the command that creates the file runs under the user *in the Docker container* that is root/uid 1.\n
\n
But that’s not how it works. If root inside the container creates the file, the host sees it as owned by root, which makes things a little more of a pain. C’est la vie.\n
\n
Now, this is a bit of an aside, but it helped me understand so I’ll go ahead and include it. It seems impossible that a command run by your user (assuming you’ve got your groups set up correctly) shouldn’t be able to create a file owned by root, right? If without sudo you try to `chown root:root some_file.txt`, it’ll tell you permission denied. And it’s not the `chown` command that’s denying you permission. It’s the Linux kernel telling the `chown` command that that’s not allowed. So how can it be that the `docker run` command can create files owned by root when `docker run` wasn’t run by root, but rather by a more restricted user?\n
\n
Docker has a daemon (called `dockerd`) that by default runs all the time as root, waiting for the `docker` command to direct it to do something. The `docker run` command doesn’t actually *run* the container. It talks to the daemon which is running as root and tells the daemon to start a container. Since it’s the daemon actually running the container and the daemon is running as root, commands inside the container are able to create files owned by root even if the `docker run` command is run by your own user.\n
\n
If you’re wondering, yes this is a security concern. Consider a command like `docker run -it -v /etc:/dir/etc alpine vi /dir/etc/sensitive/file`. That command, theoretically, could for instance allow a non-root user to change the host’s root password.\n
\n
How do you get around that? Well, there are ways to go about running the Docker daemon as a non-root user that I haven’t really looked into.\n
\n
Another concern is if, for instance, you’ve got a web service running as root inside a Docker container with a bind volume to the host and the web app has, for instance, a shell injection vulnerability wherein a user could cause a command to run as root *inside* the docker container which could affect sensitive files *outside.* To mitigate that issue, you could either not bind mount to the host filesystem at all or run the web service in the Docker container as a different user.\n
\n
And there are several ways to go about running a process in Docker as a non-root user.\n
\n
First, some Docker images will already be configured to ensure that what is run inside the container runs as non-root. (When making a Docker image, you specify that by having a `USER` directive in the Dockerfile.) Usually if things are done that way, the user will also be present in the relevent files in `/etc` in the image. But as I mentioned earlier, that’s usually not the case for images on Docker Hub.\n
\n
Next, if you’re using `docker-compose`, there’s a “user” option for setting the user.\n
\n
Another way to do this is with the `-u` argument on the `docker run` command. Something like `docker run -u 1000 -it alpine /bin/sh` will give you a shell process owned by the user with id 1000.\n
\n
Another way is to create the user and su to that user as part of the command passed to `docker run`. I’ve been known sometimes to do things like:\n
\n
```\n
\n
<span style="color:#323232;">docker run \n
</span><span style="color:#323232;">\t-it \n
</span><span style="color:#323232;">\talpine \n
</span><span style="color:#323232;">\tsh -c 'adduser tootsweet ; su tootsweet -c /bin/sh'\n
</span>\n
```\n
\n
The only other thing I can think to mention. Sometimes you want not just to run something in a Docker container not as root but in fact to run it as a user id that matches the user id of a particular user on the host. For instance so that files written to a bind volume end up being owned by the desired user so we can work with the files on the host. I honestly haven’t found the best way to deal with that. Mostly I’ve been dealing with that situation with the last method above. The `useradd` command allows you to add a user with a specific user id. But that’s problematic if the needed uid is already taken by a user in the container. So, so far I’ve kindof just been lucky on that score.\n
\n
Hopefully that all helps!\n
\n
Edit: P.S. apparently the way lemmy.world is set up, you can’t mention certain standard *nix file paths such as `/ e t c / p a s s w d` in posts. The post just isn’t accepted. The “reply” button grays out and the loading graphic spins forever with no error message and the post doesn’t get saved. I’m sure this is a misguided attempt at a security measure, but it definitely affects our ability to communicate about standard Linux kind of stuff.
"""
+lang: "en"
+isAdult: false
+favouriteCount: 1
+score: 0
+lastActive: DateTime @1700689388 {#1602
date: 2023-11-22 22:43:08.0 +01:00
}
+ip: null
+tags: [
"323232"
]
+mentions: [
"@GustavoM@lemmy.world"
"@TootSweet@lemmy.world"
"@PlutoniumAcid@lemmy.world"
]
+children: Doctrine\ORM\PersistentCollection {#2476 …}
+nested: Doctrine\ORM\PersistentCollection {#2355 …}
+votes: Doctrine\ORM\PersistentCollection {#2428 …}
+reports: Doctrine\ORM\PersistentCollection {#2436 …}
+favourites: Doctrine\ORM\PersistentCollection {#2473 …}
+notifications: Doctrine\ORM\PersistentCollection {#1359 …}
-id: 152123
-bodyTs: "'/bin/sh':927,982 '/dir':269 '/dir/etc':652 '/dir/etc/sensitive/file':655 '/dir/foo':273,312 '/etc':651,867 '/path/to/some/directory/on/your/host':268 '/usr/bin/docker':173 '1':377 '1000':924,940 'abil':1205 'abl':145,285,457,614 'accept':1165 'actual':233,571,598 'add':36,182,1088 'addus':977 'affect':759,1203 'ahead':431 'allow':507,662,1085 'alpin':653,926,974 'alreadi':816,1105 'also':198,859 'and/or':150 'anoth':705,904,941 'app':734 'appar':1131 'arch':105 'argument':913 'around':679 'asid':421 'assum':445 'attempt':1195 'back':65 'best':1063 'better':179 'bind':726,771,1037 'bit':138,418 'button':1168 'c':410,976,981,1151 'call':135,543 'case':881 'caus':746 'certain':1142 'chang':669 'chmod':170 'chown':472,487,501 'command':55,79,207,313,361,440,488,502,517,558,568,609,626,645,657,748,918,957,1084 'communic':1207 'complex':232 'compos':8,54,153,202,894 'concern':642,706 'configur':818 'consid':643 'contain':220,309,359,373,389,574,592,601,612,723,756,787,827,1003,1112 'correct':192,453 'could':35,165,339,659,745,758,768 'creat':294,342,363,390,459,519,616,945 'current':82 'd':247,319,1157 'daemon':542,579,588,597,604,691 'deal':1066,1073 'default':257,547 'definit':1202 'deni':481,491 'desir':1045 'differ':790 'direct':209,560,845 'distro':25,101,127,196 'docker':7,49,53,112,148,152,201,205,219,243,250,265,288,323,341,372,515,525,539,557,566,624,647,690,722,755,786,804,813,836,885,893,916,921,960,971,1002 'docker-compos':6,52,151,200,892 'dockerd':544 'dockerfil':848 'doesn':569,1184 'done':853 'e':1149 'earlier':875 'edit':1129 'effect':73 'either':769 'end':1039 'ensur':820 'equival':123 'error':1179 'est':411 'even':274,355,621 'fact':1009 'far':1115 'file':296,344,365,392,461,520,617,761,865,1033,1053,1145 'filesystem':776 'find':85 'first':811 'foo':301 'forev':1176 'found':1061 'get':248,678,1186 'give':929 'go':237,430,686,798 'got':278,448,713 'gpasswd':42 'graphic':1174 'gray':1169 'group':33,45,90,113,124,187,280,450 'hate':107 'haven':700,1059 'help':424,1128 'honest':317,1058 'hope':1125 'host':299,347,394,671,730,775,1028,1056 'hub':251,886 'id':939,1016,1021,1095 'imag':244,814,837,870,883 'imposs':437 'includ':433 'inject':740 'insert':106 'insid':217,307,357,387,610,720,753,825 'instanc':661,710,737,1030 'isn':1163 'issu':766 'kernel':498 'kind':334,1211 'kindof':1118 'known':965 'la':412 'last':1079 'lemmy.world':1134 'like':28,264,646,920,970 'linux':497,1210 'littl':231,405 'll':92,236,293,429,477 'load':1173 'log':62 'look':703 'lucki':1121 'm':1189 'magic':133 'make':47,70,215,225,340,402,834 'match':1018 'measur':1199 'mention':874,991,1141 'messag':1180 'method':1080 'might':59 'misguid':1194 'mitig':764 'most':1069 'mount':772 'name':87,131,300 'necessarili':214 'need':1102 'next':887 'nix':1144 'non':665,695,808,831 'non-root':664,694,807,830 'option':899 'otherwis':189 'outsid':762 'own':302,348,398,462,521,618,934,1042 'p':1152 'p.s':1130 'pain':409 'part':954 'particular':103,1024 'pass':958 'password':674 'path':1146 'permiss':480,493 'post':1159,1161,1183 'present':861 'probabl':93,178 'problemat':1099 'process':802,933 'proper':186 'python':271 'ran':77,314 'rather':352,533 're':635,890 'realli':702 'relev':864 'repli':1167 'requir':142 'research':98 'restrict':537 'right':465 'root':259,304,316,354,386,400,464,473,474,523,531,553,584,608,620,666,673,696,719,752,809,832,1006 'root/uid':376 'run':5,50,147,149,199,206,221,255,266,287,289,366,441,516,526,529,548,567,572,582,599,606,625,628,648,688,717,750,780,800,824,828,917,922,961,972,998,1011 'save':1187 'score':1124 'secur':641,1198 'see':395 'seem':436 'sensit':760 'servic':716,783 'session':83 'set':281,451,901,1136 'setup':17 'sever':795 'sh':975 'shell':739,932 'shouldn':139,454 'sinc':593 'situat':1076 'smarter':331 'some_file.txt':475 'someth':13,263,337,564,919,999 'sometim':966,992 'specif':19,22,1093 'specifi':839 'spin':1175 'standard':1143,1209 'start':590 'step':193 'stuff':1213 'su':949,979 'sudo':10,41,58,155,169,211,291,468 'suid':137 'sure':1190 'take':72,190 'taken':1106 'talk':576 'tell':327,478,499,586 'theoret':156,658 'thing':216,336,403,851,969,986 'think':110,989 'thrill':321 'time':551 'tootsweet':978,980 'touch':272,311 'tri':470 'u':171,912,923 'uid':1103 'understand':426 'unlik':120 'use':891 'user':32,38,44,224,351,369,444,538,632,667,697,744,791,810,844,857,898,903,937,947,952,1015,1020,1025,1046,1090,1094,1109 'useradd':1083 'usual':254,849,878 'v':267,650 've':76,277,447,712,963,1071,1117 'vi':654 'vie':413 'volum':727,1038 'vulner':741 'w':1156 'wait':554 'want':160,994 'wasn':527 'way':325,684,796,855,905,942,1064,1133 'web':715,733,782 'well':68,681 'whatev':253 'wherein':742 'without':9,57,154,210,290,467 'won':212 'wonder':636 'work':56,384,1050 'would':20 'written':1034 'wrong':14 'yes':637"
+ranking: 0
+commentCount: 0
+upVotes: 0
+downVotes: 0
+visibility: "visible "
+apId: "https://lemmy.world/comment/5510619"
+editedAt: DateTimeImmutable @1701177039 {#1969
date: 2023-11-28 14:10:39.0 +01:00
}
+createdAt: DateTimeImmutable @1700689388 {#1399
date: 2023-11-22 22:43:08.0 +01:00
}
} |
| 4 |
DENIED
|
moderate
|
App\Entity\EntryComment {#1378
+user: Proxies\__CG__\App\Entity\User {#1371 …}
+entry: App\Entity\Entry {#1832 …}
+magazine: App\Entity\Magazine {#311
+icon: Proxies\__CG__\App\Entity\Image {#292 …}
+name: "linux@lemmy.ml"
+title: "linux"
+description: """
From Wikipedia, the free encyclopedia\n
\n
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).\n
\n
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.\n
\n
### Rules\n
\n
- Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.\n
- No misinformation\n
- No NSFW content\n
- No hate speech, bigotry, etc\n
\n
### Related Communities\n
\n
- [!opensource@lemmy.ml](https://lemmy.ml/c/opensource)\n
- [!libre_culture@lemmy.ml](https://lemmy.ml/c/libre_culture)\n
- [!technology@lemmy.ml](https://lemmy.ml/c/technology)\n
- [!libre_hardware@lemmy.ml](https://lemmy.ml/c/libre_hardware)\n
\n
Community icon by [Alpár-Etele Méder](https://www.iconfinder.com/pocike), licensed under [CC BY 3.0](https://creativecommons.org/licenses/by/3.0/)
"""
+rules: null
+subscriptionsCount: 1
+entryCount: 1406
+entryCommentCount: 28632
+postCount: 6
+postCommentCount: 214
+isAdult: false
+customCss: null
+lastActive: DateTime @1729583542 {#319
date: 2024-10-22 09:52:22.0 +02:00
}
+markedForDeletionAt: null
+tags: null
+moderators: Doctrine\ORM\PersistentCollection {#283 …}
+ownershipRequests: Doctrine\ORM\PersistentCollection {#279 …}
+moderatorRequests: Doctrine\ORM\PersistentCollection {#268 …}
+entries: Doctrine\ORM\PersistentCollection {#226 …}
+posts: Doctrine\ORM\PersistentCollection {#184 …}
+subscriptions: Doctrine\ORM\PersistentCollection {#246 …}
+bans: Doctrine\ORM\PersistentCollection {#163 …}
+reports: Doctrine\ORM\PersistentCollection {#149 …}
+badges: Doctrine\ORM\PersistentCollection {#127 …}
+logs: Doctrine\ORM\PersistentCollection {#117 …}
+awards: Doctrine\ORM\PersistentCollection {#106 …}
+categories: Doctrine\ORM\PersistentCollection {#93 …}
-id: 73
+apId: "linux@lemmy.ml"
+apProfileId: "https://lemmy.ml/c/linux"
+apPublicUrl: "https://lemmy.ml/c/linux"
+apFollowersUrl: "https://lemmy.ml/c/linux/followers"
+apInboxUrl: "https://lemmy.ml/inbox"
+apDomain: "lemmy.ml"
+apPreferredUsername: "linux"
+apDiscoverable: true
+apManuallyApprovesFollowers: null
+privateKey: null
+publicKey: null
+apFetchedAt: DateTime @1729583596 {#320
date: 2024-10-22 09:53:16.0 +02:00
}
+apDeletedAt: null
+apTimeoutAt: null
+visibility: "visible "
+createdAt: DateTimeImmutable @1698929468 {#314
date: 2023-11-02 13:51:08.0 +01:00
}
}
+image: null
+parent: Proxies\__CG__\App\Entity\EntryComment {#2353 …}
+root: Proxies\__CG__\App\Entity\EntryComment {#2451 …}
+body: """
If you can’t run `docker-compose` without `sudo`, there’s something wrong with your setup. The specifics would be specific to your distro, but most likely there’s a user group you could add your user to with `sudo gpasswd -a user group` to make the `docker run` and `docker-compose` commands work without `sudo`. (Might have to log out and back in as well to make it take effect if you’ve ran that command during the current session.) To find the name of the group, you’ll probably have to do some research about your distro in particular. On Arch (insert hate here ;) ), I think the `docker` group does that, and it’s not unlikely that the equivalent group for your distro has the same name.\n
\n
The “magical s” (called the “SUID bit”) shouldn’t be required to be able to run `docker run` and/or `docker-compose` without sudo. Theoretically if you *did* want to do that, you could do it with `sudo chmod u+s /usr/bin/docker`. But again it’s probably better to just add yourself to the proper group (or otherwise take the correct steps for your distro.)\n
\n
But also, running docker-compose (or the `docker run` command more directly) without sudo won’t necessarily make things *inside the docker container* run as your user. Making it do so is a little complex, actually, but I’ll go through it here.\n
\n
So, most Docker images that you’d get from Docker Hub or whatever usually run by default as root. If you do something like `docker run -v /path/to/some/directory/on/your/host:/dir -it python ‘touch /dir/foo’`, even if you’ve got your groups set up to be able to run `docker run` without sudo, it’ll create a file on your host named “foo” *owned by root*. Why? Because inside the container, the `touch /dir/foo` command ran as root.\n
\n
Honestly, I’d be thrilled if Docker had ways to tell it to be smarter about that kind of thing. Something that could make Docker create the file on the host owned by your user rather than root even if inside the container, the command that creates the file runs under the user *in the Docker container* that is root/uid 1.\n
\n
But that’s not how it works. If root inside the container creates the file, the host sees it as owned by root, which makes things a little more of a pain. C’est la vie.\n
\n
Now, this is a bit of an aside, but it helped me understand so I’ll go ahead and include it. It seems impossible that a command run by your user (assuming you’ve got your groups set up correctly) shouldn’t be able to create a file owned by root, right? If without sudo you try to `chown root:root some_file.txt`, it’ll tell you permission denied. And it’s not the `chown` command that’s denying you permission. It’s the Linux kernel telling the `chown` command that that’s not allowed. So how can it be that the `docker run` command can create files owned by root when `docker run` wasn’t run by root, but rather by a more restricted user?\n
\n
Docker has a daemon (called `dockerd`) that by default runs all the time as root, waiting for the `docker` command to direct it to do something. The `docker run` command doesn’t actually *run* the container. It talks to the daemon which is running as root and tells the daemon to start a container. Since it’s the daemon actually running the container and the daemon is running as root, commands inside the container are able to create files owned by root even if the `docker run` command is run by your own user.\n
\n
If you’re wondering, yes this is a security concern. Consider a command like `docker run -it -v /etc:/dir/etc alpine vi /dir/etc/sensitive/file`. That command, theoretically, could for instance allow a non-root user to change the host’s root password.\n
\n
How do you get around that? Well, there are ways to go about running the Docker daemon as a non-root user that I haven’t really looked into.\n
\n
Another concern is if, for instance, you’ve got a web service running as root inside a Docker container with a bind volume to the host and the web app has, for instance, a shell injection vulnerability wherein a user could cause a command to run as root *inside* the docker container which could affect sensitive files *outside.* To mitigate that issue, you could either not bind mount to the host filesystem at all or run the web service in the Docker container as a different user.\n
\n
And there are several ways to go about running a process in Docker as a non-root user.\n
\n
First, some Docker images will already be configured to ensure that what is run inside the container runs as non-root. (When making a Docker image, you specify that by having a `USER` directive in the Dockerfile.) Usually if things are done that way, the user will also be present in the relevent files in `/etc` in the image. But as I mentioned earlier, that’s usually not the case for images on Docker Hub.\n
\n
Next, if you’re using `docker-compose`, there’s a “user” option for setting the user.\n
\n
Another way to do this is with the `-u` argument on the `docker run` command. Something like `docker run -u 1000 -it alpine /bin/sh` will give you a shell process owned by the user with id 1000.\n
\n
Another way is to create the user and su to that user as part of the command passed to `docker run`. I’ve been known sometimes to do things like:\n
\n
```\n
\n
<span style="color:#323232;">docker run \n
</span><span style="color:#323232;">\t-it \n
</span><span style="color:#323232;">\talpine \n
</span><span style="color:#323232;">\tsh -c 'adduser tootsweet ; su tootsweet -c /bin/sh'\n
</span>\n
```\n
\n
The only other thing I can think to mention. Sometimes you want not just to run something in a Docker container not as root but in fact to run it as a user id that matches the user id of a particular user on the host. For instance so that files written to a bind volume end up being owned by the desired user so we can work with the files on the host. I honestly haven’t found the best way to deal with that. Mostly I’ve been dealing with that situation with the last method above. The `useradd` command allows you to add a user with a specific user id. But that’s problematic if the needed uid is already taken by a user in the container. So, so far I’ve kindof just been lucky on that score.\n
\n
Hopefully that all helps!\n
\n
Edit: P.S. apparently the way lemmy.world is set up, you can’t mention certain standard *nix file paths such as `/ e t c / p a s s w d` in posts. The post just isn’t accepted. The “reply” button grays out and the loading graphic spins forever with no error message and the post doesn’t get saved. I’m sure this is a misguided attempt at a security measure, but it definitely affects our ability to communicate about standard Linux kind of stuff.
"""
+lang: "en"
+isAdult: false
+favouriteCount: 1
+score: 0
+lastActive: DateTime @1700689388 {#1602
date: 2023-11-22 22:43:08.0 +01:00
}
+ip: null
+tags: [
"323232"
]
+mentions: [
"@GustavoM@lemmy.world"
"@TootSweet@lemmy.world"
"@PlutoniumAcid@lemmy.world"
]
+children: Doctrine\ORM\PersistentCollection {#2476 …}
+nested: Doctrine\ORM\PersistentCollection {#2355 …}
+votes: Doctrine\ORM\PersistentCollection {#2428 …}
+reports: Doctrine\ORM\PersistentCollection {#2436 …}
+favourites: Doctrine\ORM\PersistentCollection {#2473 …}
+notifications: Doctrine\ORM\PersistentCollection {#1359 …}
-id: 152123
-bodyTs: "'/bin/sh':927,982 '/dir':269 '/dir/etc':652 '/dir/etc/sensitive/file':655 '/dir/foo':273,312 '/etc':651,867 '/path/to/some/directory/on/your/host':268 '/usr/bin/docker':173 '1':377 '1000':924,940 'abil':1205 'abl':145,285,457,614 'accept':1165 'actual':233,571,598 'add':36,182,1088 'addus':977 'affect':759,1203 'ahead':431 'allow':507,662,1085 'alpin':653,926,974 'alreadi':816,1105 'also':198,859 'and/or':150 'anoth':705,904,941 'app':734 'appar':1131 'arch':105 'argument':913 'around':679 'asid':421 'assum':445 'attempt':1195 'back':65 'best':1063 'better':179 'bind':726,771,1037 'bit':138,418 'button':1168 'c':410,976,981,1151 'call':135,543 'case':881 'caus':746 'certain':1142 'chang':669 'chmod':170 'chown':472,487,501 'command':55,79,207,313,361,440,488,502,517,558,568,609,626,645,657,748,918,957,1084 'communic':1207 'complex':232 'compos':8,54,153,202,894 'concern':642,706 'configur':818 'consid':643 'contain':220,309,359,373,389,574,592,601,612,723,756,787,827,1003,1112 'correct':192,453 'could':35,165,339,659,745,758,768 'creat':294,342,363,390,459,519,616,945 'current':82 'd':247,319,1157 'daemon':542,579,588,597,604,691 'deal':1066,1073 'default':257,547 'definit':1202 'deni':481,491 'desir':1045 'differ':790 'direct':209,560,845 'distro':25,101,127,196 'docker':7,49,53,112,148,152,201,205,219,243,250,265,288,323,341,372,515,525,539,557,566,624,647,690,722,755,786,804,813,836,885,893,916,921,960,971,1002 'docker-compos':6,52,151,200,892 'dockerd':544 'dockerfil':848 'doesn':569,1184 'done':853 'e':1149 'earlier':875 'edit':1129 'effect':73 'either':769 'end':1039 'ensur':820 'equival':123 'error':1179 'est':411 'even':274,355,621 'fact':1009 'far':1115 'file':296,344,365,392,461,520,617,761,865,1033,1053,1145 'filesystem':776 'find':85 'first':811 'foo':301 'forev':1176 'found':1061 'get':248,678,1186 'give':929 'go':237,430,686,798 'got':278,448,713 'gpasswd':42 'graphic':1174 'gray':1169 'group':33,45,90,113,124,187,280,450 'hate':107 'haven':700,1059 'help':424,1128 'honest':317,1058 'hope':1125 'host':299,347,394,671,730,775,1028,1056 'hub':251,886 'id':939,1016,1021,1095 'imag':244,814,837,870,883 'imposs':437 'includ':433 'inject':740 'insert':106 'insid':217,307,357,387,610,720,753,825 'instanc':661,710,737,1030 'isn':1163 'issu':766 'kernel':498 'kind':334,1211 'kindof':1118 'known':965 'la':412 'last':1079 'lemmy.world':1134 'like':28,264,646,920,970 'linux':497,1210 'littl':231,405 'll':92,236,293,429,477 'load':1173 'log':62 'look':703 'lucki':1121 'm':1189 'magic':133 'make':47,70,215,225,340,402,834 'match':1018 'measur':1199 'mention':874,991,1141 'messag':1180 'method':1080 'might':59 'misguid':1194 'mitig':764 'most':1069 'mount':772 'name':87,131,300 'necessarili':214 'need':1102 'next':887 'nix':1144 'non':665,695,808,831 'non-root':664,694,807,830 'option':899 'otherwis':189 'outsid':762 'own':302,348,398,462,521,618,934,1042 'p':1152 'p.s':1130 'pain':409 'part':954 'particular':103,1024 'pass':958 'password':674 'path':1146 'permiss':480,493 'post':1159,1161,1183 'present':861 'probabl':93,178 'problemat':1099 'process':802,933 'proper':186 'python':271 'ran':77,314 'rather':352,533 're':635,890 'realli':702 'relev':864 'repli':1167 'requir':142 'research':98 'restrict':537 'right':465 'root':259,304,316,354,386,400,464,473,474,523,531,553,584,608,620,666,673,696,719,752,809,832,1006 'root/uid':376 'run':5,50,147,149,199,206,221,255,266,287,289,366,441,516,526,529,548,567,572,582,599,606,625,628,648,688,717,750,780,800,824,828,917,922,961,972,998,1011 'save':1187 'score':1124 'secur':641,1198 'see':395 'seem':436 'sensit':760 'servic':716,783 'session':83 'set':281,451,901,1136 'setup':17 'sever':795 'sh':975 'shell':739,932 'shouldn':139,454 'sinc':593 'situat':1076 'smarter':331 'some_file.txt':475 'someth':13,263,337,564,919,999 'sometim':966,992 'specif':19,22,1093 'specifi':839 'spin':1175 'standard':1143,1209 'start':590 'step':193 'stuff':1213 'su':949,979 'sudo':10,41,58,155,169,211,291,468 'suid':137 'sure':1190 'take':72,190 'taken':1106 'talk':576 'tell':327,478,499,586 'theoret':156,658 'thing':216,336,403,851,969,986 'think':110,989 'thrill':321 'time':551 'tootsweet':978,980 'touch':272,311 'tri':470 'u':171,912,923 'uid':1103 'understand':426 'unlik':120 'use':891 'user':32,38,44,224,351,369,444,538,632,667,697,744,791,810,844,857,898,903,937,947,952,1015,1020,1025,1046,1090,1094,1109 'useradd':1083 'usual':254,849,878 'v':267,650 've':76,277,447,712,963,1071,1117 'vi':654 'vie':413 'volum':727,1038 'vulner':741 'w':1156 'wait':554 'want':160,994 'wasn':527 'way':325,684,796,855,905,942,1064,1133 'web':715,733,782 'well':68,681 'whatev':253 'wherein':742 'without':9,57,154,210,290,467 'won':212 'wonder':636 'work':56,384,1050 'would':20 'written':1034 'wrong':14 'yes':637"
+ranking: 0
+commentCount: 0
+upVotes: 0
+downVotes: 0
+visibility: "visible "
+apId: "https://lemmy.world/comment/5510619"
+editedAt: DateTimeImmutable @1701177039 {#1969
date: 2023-11-28 14:10:39.0 +01:00
}
+createdAt: DateTimeImmutable @1700689388 {#1399
date: 2023-11-22 22:43:08.0 +01:00
}
} |