Re: s6-applyuidgid mode 0700

From: Johannes Nixdorf <mixi_at_shadowice.org>
Date: Sun, 9 Jan 2022 16:28:17 +0100

In case it actually went out: sorry for the first reply without content
- I prematurely pressed "send".

On Sun, Jan 09, 2022 at 10:30:54AM +0000, Laurent Bercot wrote:
> As you said, it would do no good for normal users to run these
> programs, so there's no point in giving them the necessary permissions.

When packaging your software, this was one of the only upstream defaults
I changed. I encountered several cases where a user might want to use
those binaries, and did not want the software authors policy to be in
the way there:

 - generating an initramfs (s6-mount was the culprit if I remember
   correctly)
 - more generally generating any kind of rootfs / copying a working
   binary from a machine where you are not root to one where you are
 - User namespaces: I tend to play with namespaces with a shared,
   ro-mounted /, but isolated /home to isolate random software. Inside
   those namespaces I start as "root" with an unshared mount namespace,
   so s6-*uidgid and s6-*mount are nice to have access to
Received on Sun Jan 09 2022 - 16:28:17 CET

This archive was generated by hypermail 2.4.0 : Sun Jan 09 2022 - 16:28:47 CET