create/enter: add unshare-groups flag, do proper su login only on usn…

…hare-groups and initful containers. Fix 89luca89#1208

Signed-off-by: Luca Di Maio <[email protected]>

distrobox-create

@@ -71,6 +71,7 @@ non_interactive=0
 nvidia=0
 nopasswd=0
 unshare_ipc=0
+unshare_groups=0
 unshare_netns=0
 unshare_process=0
 unshare_devsys=0
@@ -191,6 +192,7 @@ Options:
 				may require additional packages depending on the container image: https://github.com/89luca89/distrobox/blob/main/docs/useful_tips.md#using-init-system-inside-a-distrobox
 	--nvidia:		try to integrate host's nVidia drivers in the guest
 	--unshare-devsys:          do not share host devices and sysfs dirs from host
+	--unshare-groups:          do not forward user's additional groups into the container
 	--unshare-ipc:          do not share ipc namespace with host
 	--unshare-netns:        do not share the net namespace with host
 	--unshare-process:          do not share process namespace with host
@@ -278,12 +280,17 @@ while :; do
 		-I | --init)
 			shift
 			init=1
+			unshare_groups=1
 			unshare_process=1
 			;;
 		--unshare-ipc)
 			shift
 			unshare_ipc=1
 			;;
+		--unshare-groups)
+			shift
+			unshare_groups=1
+			;;
 		--unshare-netns)
 			shift
 			unshare_netns=1
@@ -298,10 +305,11 @@ while :; do
 			;;
 		--unshare-all)
 			shift
+			unshare_devsys=1
+			unshare_groups=1
 			unshare_ipc=1
 			unshare_netns=1
 			unshare_process=1
-			unshare_devsys=1
 			;;
 		-C | --compatibility)
 			show_compatibility
@@ -599,6 +607,7 @@ generate_command() {
 	# utilities.
 	result_command="${result_command}
 		--label \"manager=distrobox\"
+		--label \"distrobox.unshare_groups=${unshare_groups}\"
 		--env \"SHELL=$(basename "${SHELL:-"/bin/bash"}")\"
 		--env \"HOME=${container_user_home}\"
 		--env \"container=${container_manager}\"
@@ -790,6 +799,7 @@ generate_command() {
 	# container manager is podman.
 	if echo "${container_manager}" | grep -q "podman"; then
 		result_command="${result_command}
+			--annotation run.oci.keep_original_groups=1
 			--ulimit host"
 
 		if [ "${init}" -eq 1 ]; then

distrobox-enter

@@ -55,6 +55,7 @@ if { [ -n "${SUDO_USER}" ] || [ -n "${DOAS_USER}" ]; } && [ "$(id -ru)" -eq 0 ];
 fi
 
 # Defaults
+container_command_prefix="sh -c"
 container_command=""
 container_image_default="registry.fedoraproject.org/fedora-toolbox:39"
 container_manager="autodetect"
@@ -140,7 +141,7 @@ Usage:
 Options:
 
 	--name/-n:		name for the distrobox						default: my-distrobox
-	--/-e:			end arguments execute the rest as command to execute at login	default: su ${USER}
+	--/-e:			end arguments execute the rest as command to execute at login	default: default ${USER}'s shell
 	--no-tty/-T:		do not instantiate a tty
 	--no-workdir/-nw:	always start the container from container's home directory
 	--additional-flags/-a:	additional flags to pass to the container manager command
@@ -313,8 +314,21 @@ generate_command() {
 		--interactive"
 	result_command="${result_command}
 		--detach-keys=\"\""
-	result_command="${result_command}
-		--user='root'"
+
+	if [ "${unshare_groups:-0}" -eq 1 ]; then
+		result_command="${result_command}
+			--user='root'"
+		# We use `su` to become the designed user, this triggers a proper login
+		# and we instantiate a proper pty with it
+		if [ "${headless}" -eq 0 ]; then
+			container_command_prefix="su --pty ${USER} -c"
+		else
+			container_command_prefix="su ${USER} -c"
+		fi
+	else
+		result_command="${result_command}
+		--user=\"${USER}"\"
+	fi
 
 	# For some usage, like use in service, or launched by non-terminal
 	# eg. from desktop files, TTY can fail to instantiate, and fail to enter
@@ -442,20 +456,14 @@ generate_command() {
 	result_command="${result_command}
 		${container_name}"
 
-	# We use `su` to become the designed user, this triggers a proper login
-	# and we instantiate a proper pty with it
-	su_pty=""
-	if [ "${headless}" -eq 0 ]; then
-		su_pty="--pty"
-	fi
 	if [ -n "${container_command}" ]; then
 		result_command="${result_command}
-			su ${su_pty} ${USER} -c \"${container_command}\""
+			${container_command_prefix} \"${container_command}\""
 	else
 		# if no command was specified, let's execute a command that will find
 		# and run the default shell for the user
 		result_command="${result_command}
-			su ${su_pty} ${USER} -c \"\\\$(getent passwd ${USER} | cut -f 7 -d :) -l\""
+			${container_command_prefix} \"\\\$(getent passwd ${USER} | cut -f 7 -d :) -l\""
 	fi
 
 	# Return generated command.
@@ -464,22 +472,24 @@ generate_command() {
 
 container_home="${HOME}"
 container_path="${PATH}"
-# dry run mode, just generate the command and print it. No execution.
-if [ "${dryrun}" -ne 0 ]; then
-	cmd="$(generate_command)"
-	cmd="$(echo "${cmd}" | sed 's/\t//g')"
-	printf "%s\n" "${cmd}"
-	exit 0
-fi
-
+unshare_groups=0
 # Now inspect the container we're working with.
 container_status="unknown"
 eval "$(${container_manager} inspect --type container --format \
 	'container_status={{.State.Status}};
+	unshare_groups={{ index .Config.Labels "distrobox.unshare_groups" }};
 	{{range .Config.Env}}{{if slice . 0 5 | eq "HOME="}}container_home={{slice . 5 | printf "%q"}};{{end}}{{end}}
 	{{range .Config.Env}}{{if slice . 0 5 | eq "PATH="}}container_path={{slice . 5 | printf "%q"}}{{end}}{{end}}' \
 	"${container_name}")"
 
+# dry run mode, just generate the command and print it. No execution.
+if [ "${dryrun}" -ne 0 ]; then
+	cmd="$(generate_command)"
+	cmd="$(echo "${cmd}" | sed 's/\t//g')"
+	printf "%s\n" "${cmd}"
+	exit 0
+fi
+
 # Check if the container is even there
 if [ "${container_status}" = "unknown" ]; then
 	# If not, prompt to create it first

distrobox-ephemeral

@@ -74,7 +74,7 @@ Options:
 				specify it through the DBX_SUDO_PROGRAM env variable, or 'distrobox_sudo_program' config variable)
 	--verbose/-v:		show more verbosity
 	--help/-h:		show this message
-	--/-e:			end arguments execute the rest as command to execute at login	default: su ${USER}
+	--/-e:			end arguments execute the rest as command to execute at login	default: default ${USER}'s shell
 	--version/-V:		show version
 
 See also:

docs/usage/distrobox-create.md

@@ -36,6 +36,7 @@ graphical apps (X11/Wayland), and audio.
 				may require additional packages depending on the container image: https://github.com/89luca89/distrobox/blob/main/docs/useful_tips.md#using-init-system-inside-a-distrobox
 	--nvidia:		try to integrate host's nVidia drivers in the guest
 	--unshare-devsys:          do not share host devices and sysfs dirs from host
+	--unshare-groups:          do not forward user's additional groups into the container
 	--unshare-ipc:          do not share ipc namespace with host
 	--unshare-netns:        do not share the net namespace with host
 	--unshare-process:          do not share process namespace with host

docs/usage/distrobox-enter.md

@@ -17,7 +17,7 @@ If using it inside a script, an application, or a service, you can specify the
 **distrobox enter**
 
 	--name/-n:		name for the distrobox						default: my-distrobox
-	--/-e:			end arguments execute the rest as command to execute at login	default: su ${USER}
+	--/-e:			end arguments execute the rest as command to execute at login	default: default $USER's shell
 	--no-tty/-T:		do not instantiate a tty
 	--no-workdir/-nw:	always start the container from container's home directory
 	--additional-flags/-a:	additional flags to pass to the container manager command

docs/usage/distrobox-ephemeral.md

@@ -18,7 +18,7 @@ when the command is terminated.
 				specify it through the DBX_SUDO_PROGRAM env variable, or 'distrobox_sudo_program' config variable)
 	--verbose/-v:		show more verbosity
 	--help/-h:		show this message
-	--/-e:			end arguments execute the rest as command to execute at login	default: su ${USER}
+	--/-e:			end arguments execute the rest as command to execute at login	default: default $USER's shell
 	--version/-V:		show version
 
 # EXAMPLES