From cd08d8def288783e0932a80e0387a96f3aa1c732 Mon Sep 17 00:00:00 2001 From: Olivier Benz Date: Fri, 9 Aug 2024 15:02:07 +0200 Subject: [PATCH 1/4] No sudo when run with rootless triplet - rootless triplet: -e NB_USER=root -e NB_UID=0 -e NB_GID=0 --- images/docker-stacks-foundation/start.sh | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/images/docker-stacks-foundation/start.sh b/images/docker-stacks-foundation/start.sh index 33d12d801d..295ee26359 100755 --- a/images/docker-stacks-foundation/start.sh +++ b/images/docker-stacks-foundation/start.sh @@ -155,11 +155,14 @@ if [ "$(id -u)" == 0 ]; then unset_explicit_env_vars _log "Running as ${NB_USER}:" "${cmd[@]}" - exec sudo --preserve-env --set-home --user "${NB_USER}" \ - LD_LIBRARY_PATH="${LD_LIBRARY_PATH}" \ - PATH="${PATH}" \ - PYTHONPATH="${PYTHONPATH:-}" \ - "${cmd[@]}" + if [ "${NB_USER}" = "root" ] && [ "${NB_UID}" = "$(id -u "${NB_USER}")" ] && [ "${NB_GID}" = "$(id -g "${NB_USER}")" ]; then + HOME="/home/root" exec "${cmd[@]}" + else + exec sudo --preserve-env --set-home --user "${NB_USER}" \ + LD_LIBRARY_PATH="${LD_LIBRARY_PATH}" \ + PATH="${PATH}" \ + PYTHONPATH="${PYTHONPATH:-}" \ + "${cmd[@]}" # Notes on how we ensure that the environment that this container is started # with is preserved (except vars listed in JUPYTER_ENV_VARS_TO_UNSET) when # we transition from running as root to running as NB_USER. @@ -187,6 +190,7 @@ if [ "$(id -u)" == 0 ]; then # above in /etc/sudoers.d/path. Thus PATH is irrelevant to how the above # sudo command resolves the path of `${cmd[@]}`. The PATH will be relevant # for resolving paths of any subprocesses spawned by `${cmd[@]}`. + fi # The container didn't start as the root user, so we will have to act as the # user we started as. From da21ed16e2bd87c34d33f94662e58c8c82ae6d33 Mon Sep 17 00:00:00 2001 From: Olivier Benz Date: Sun, 11 Aug 2024 09:14:09 +0200 Subject: [PATCH 2/4] Add tests for rootless triplet --- .../test_user_options.py | 38 +++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/tests/docker-stacks-foundation/test_user_options.py b/tests/docker-stacks-foundation/test_user_options.py index fb2b4625a6..5e6247b494 100644 --- a/tests/docker-stacks-foundation/test_user_options.py +++ b/tests/docker-stacks-foundation/test_user_options.py @@ -305,3 +305,41 @@ def test_startsh_multiple_exec(container: TrackedContainer) -> None: "WARNING: start.sh is the default ENTRYPOINT, do not include it in CMD" in warnings[0] ) + + +def test_rootless_triplet_change(container: TrackedContainer) -> None: + """Container should change the username (`NB_USER`), the UID and the GID of the default user.""" + logs = container.run_and_wait( + timeout=10, + tty=True, + user="root", + environment=["NB_USER=root", "NB_UID=0", "NB_GID=0"], + command=["id"], + ) + assert "uid=0(root)" in logs + assert "gid=0(root)" in logs + assert "groups=0(root)" in logs + + +def test_rootless_triplet_home(container: TrackedContainer) -> None: + """Container should change the home directory for triplet NB_USER=root, NB_UID=0, NB_GID=0.""" + logs = container.run_and_wait( + timeout=10, + tty=True, + user="root", + environment=["NB_USER=root", "NB_UID=0", "NB_GID=0"], + command=["env"], + ) + assert "HOME=/home/root" in logs + + +def test_rootless_triplet_sudo(container: TrackedContainer) -> None: + """Container should not be started with sudo for triplet NB_USER=root, NB_UID=0, NB_GID=0.""" + logs = container.run_and_wait( + timeout=10, + tty=True, + user="root", + environment=["NB_USER=root", "NB_UID=0", "NB_GID=0"], + command=["env"], + ) + assert "SUDO" not in logs From e28910e84c81a371ff86a631516ecfa2300be09d Mon Sep 17 00:00:00 2001 From: Olivier Benz Date: Sun, 11 Aug 2024 09:27:17 +0200 Subject: [PATCH 3/4] Update tests for rootless triplet --- tests/docker-stacks-foundation/test_user_options.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tests/docker-stacks-foundation/test_user_options.py b/tests/docker-stacks-foundation/test_user_options.py index 5e6247b494..aeb6cb04c4 100644 --- a/tests/docker-stacks-foundation/test_user_options.py +++ b/tests/docker-stacks-foundation/test_user_options.py @@ -328,9 +328,10 @@ def test_rootless_triplet_home(container: TrackedContainer) -> None: tty=True, user="root", environment=["NB_USER=root", "NB_UID=0", "NB_GID=0"], - command=["env"], + command=["echo HOME=${HOME} && getent passwd root"], ) assert "HOME=/home/root" in logs + assert "root:x:0:0:root:/home/root:/bin/bash" in logs def test_rootless_triplet_sudo(container: TrackedContainer) -> None: From 550a6cee313ea5ee5874b3d32dd864e88f1899fd Mon Sep 17 00:00:00 2001 From: Olivier Benz Date: Sun, 11 Aug 2024 09:30:01 +0200 Subject: [PATCH 4/4] Fix tests for rootless triplet --- tests/docker-stacks-foundation/test_user_options.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/docker-stacks-foundation/test_user_options.py b/tests/docker-stacks-foundation/test_user_options.py index aeb6cb04c4..1ef6ada35a 100644 --- a/tests/docker-stacks-foundation/test_user_options.py +++ b/tests/docker-stacks-foundation/test_user_options.py @@ -328,7 +328,7 @@ def test_rootless_triplet_home(container: TrackedContainer) -> None: tty=True, user="root", environment=["NB_USER=root", "NB_UID=0", "NB_GID=0"], - command=["echo HOME=${HOME} && getent passwd root"], + command=["bash", "-c", "echo HOME=${HOME} && getent passwd root"], ) assert "HOME=/home/root" in logs assert "root:x:0:0:root:/home/root:/bin/bash" in logs