diff --git a/distrobox-create b/distrobox-create index 47b4868009..97d83f2d9d 100755 --- a/distrobox-create +++ b/distrobox-create @@ -71,6 +71,7 @@ non_interactive=0 nvidia=0 nopasswd=0 unshare_ipc=0 +unshare_groups=0 unshare_netns=0 unshare_process=0 unshare_devsys=0 @@ -191,6 +192,7 @@ Options: may require additional packages depending on the container image: https://github.com/89luca89/distrobox/blob/main/docs/useful_tips.md#using-init-system-inside-a-distrobox --nvidia: try to integrate host's nVidia drivers in the guest --unshare-devsys: do not share host devices and sysfs dirs from host + --unshare-groups: do not forward user's additional groups into the container --unshare-ipc: do not share ipc namespace with host --unshare-netns: do not share the net namespace with host --unshare-process: do not share process namespace with host @@ -278,12 +280,17 @@ while :; do -I | --init) shift init=1 + unshare_groups=1 unshare_process=1 ;; --unshare-ipc) shift unshare_ipc=1 ;; + --unshare-groups) + shift + unshare_groups=1 + ;; --unshare-netns) shift unshare_netns=1 @@ -298,10 +305,11 @@ while :; do ;; --unshare-all) shift + unshare_devsys=1 + unshare_groups=1 unshare_ipc=1 unshare_netns=1 unshare_process=1 - unshare_devsys=1 ;; -C | --compatibility) show_compatibility @@ -599,6 +607,7 @@ generate_command() { # utilities. result_command="${result_command} --label \"manager=distrobox\" + --label \"distrobox.unshare_groups=${unshare_groups}\" --env \"SHELL=$(basename "${SHELL:-"/bin/bash"}")\" --env \"HOME=${container_user_home}\" --env \"container=${container_manager}\" @@ -790,6 +799,7 @@ generate_command() { # container manager is podman. if echo "${container_manager}" | grep -q "podman"; then result_command="${result_command} + --annotation run.oci.keep_original_groups=1 --ulimit host" if [ "${init}" -eq 1 ]; then diff --git a/distrobox-enter b/distrobox-enter index f753276450..0f977a227f 100755 --- a/distrobox-enter +++ b/distrobox-enter @@ -55,6 +55,7 @@ if { [ -n "${SUDO_USER}" ] || [ -n "${DOAS_USER}" ]; } && [ "$(id -ru)" -eq 0 ]; fi # Defaults +container_command_prefix="sh -c" container_command="" container_image_default="registry.fedoraproject.org/fedora-toolbox:39" container_manager="autodetect" @@ -140,7 +141,7 @@ Usage: Options: --name/-n: name for the distrobox default: my-distrobox - --/-e: end arguments execute the rest as command to execute at login default: su ${USER} + --/-e: end arguments execute the rest as command to execute at login default: default ${USER}'s shell --no-tty/-T: do not instantiate a tty --no-workdir/-nw: always start the container from container's home directory --additional-flags/-a: additional flags to pass to the container manager command @@ -313,8 +314,21 @@ generate_command() { --interactive" result_command="${result_command} --detach-keys=\"\"" - result_command="${result_command} - --user='root'" + + if [ "${unshare_groups:-0}" -eq 1 ]; then + result_command="${result_command} + --user='root'" + # We use `su` to become the designed user, this triggers a proper login + # and we instantiate a proper pty with it + if [ "${headless}" -eq 0 ]; then + container_command_prefix="su --pty ${USER} -c" + else + container_command_prefix="su ${USER} -c" + fi + else + result_command="${result_command} + --user=\"${USER}"\" + fi # For some usage, like use in service, or launched by non-terminal # eg. from desktop files, TTY can fail to instantiate, and fail to enter @@ -442,20 +456,14 @@ generate_command() { result_command="${result_command} ${container_name}" - # We use `su` to become the designed user, this triggers a proper login - # and we instantiate a proper pty with it - su_pty="" - if [ "${headless}" -eq 0 ]; then - su_pty="--pty" - fi if [ -n "${container_command}" ]; then result_command="${result_command} - su ${su_pty} ${USER} -c \"${container_command}\"" + ${container_command_prefix} \"${container_command}\"" else # if no command was specified, let's execute a command that will find # and run the default shell for the user result_command="${result_command} - su ${su_pty} ${USER} -c \"\\\$(getent passwd ${USER} | cut -f 7 -d :) -l\"" + ${container_command_prefix} \"\\\$(getent passwd ${USER} | cut -f 7 -d :) -l\"" fi # Return generated command. @@ -464,22 +472,24 @@ generate_command() { container_home="${HOME}" container_path="${PATH}" -# dry run mode, just generate the command and print it. No execution. -if [ "${dryrun}" -ne 0 ]; then - cmd="$(generate_command)" - cmd="$(echo "${cmd}" | sed 's/\t//g')" - printf "%s\n" "${cmd}" - exit 0 -fi - +unshare_groups=0 # Now inspect the container we're working with. container_status="unknown" eval "$(${container_manager} inspect --type container --format \ 'container_status={{.State.Status}}; + unshare_groups={{ index .Config.Labels "distrobox.unshare_groups" }}; {{range .Config.Env}}{{if slice . 0 5 | eq "HOME="}}container_home={{slice . 5 | printf "%q"}};{{end}}{{end}} {{range .Config.Env}}{{if slice . 0 5 | eq "PATH="}}container_path={{slice . 5 | printf "%q"}}{{end}}{{end}}' \ "${container_name}")" +# dry run mode, just generate the command and print it. No execution. +if [ "${dryrun}" -ne 0 ]; then + cmd="$(generate_command)" + cmd="$(echo "${cmd}" | sed 's/\t//g')" + printf "%s\n" "${cmd}" + exit 0 +fi + # Check if the container is even there if [ "${container_status}" = "unknown" ]; then # If not, prompt to create it first diff --git a/distrobox-ephemeral b/distrobox-ephemeral index 67b9c812c2..22f6b30629 100755 --- a/distrobox-ephemeral +++ b/distrobox-ephemeral @@ -74,7 +74,7 @@ Options: specify it through the DBX_SUDO_PROGRAM env variable, or 'distrobox_sudo_program' config variable) --verbose/-v: show more verbosity --help/-h: show this message - --/-e: end arguments execute the rest as command to execute at login default: su ${USER} + --/-e: end arguments execute the rest as command to execute at login default: default ${USER}'s shell --version/-V: show version See also: diff --git a/docs/usage/distrobox-create.md b/docs/usage/distrobox-create.md index af69da4d4e..4a64b72a8f 100644 --- a/docs/usage/distrobox-create.md +++ b/docs/usage/distrobox-create.md @@ -36,6 +36,7 @@ graphical apps (X11/Wayland), and audio. may require additional packages depending on the container image: https://github.com/89luca89/distrobox/blob/main/docs/useful_tips.md#using-init-system-inside-a-distrobox --nvidia: try to integrate host's nVidia drivers in the guest --unshare-devsys: do not share host devices and sysfs dirs from host + --unshare-groups: do not forward user's additional groups into the container --unshare-ipc: do not share ipc namespace with host --unshare-netns: do not share the net namespace with host --unshare-process: do not share process namespace with host diff --git a/docs/usage/distrobox-enter.md b/docs/usage/distrobox-enter.md index 6a7ec41c27..cbe0ac0349 100644 --- a/docs/usage/distrobox-enter.md +++ b/docs/usage/distrobox-enter.md @@ -17,7 +17,7 @@ If using it inside a script, an application, or a service, you can specify the **distrobox enter** --name/-n: name for the distrobox default: my-distrobox - --/-e: end arguments execute the rest as command to execute at login default: su ${USER} + --/-e: end arguments execute the rest as command to execute at login default: default $USER's shell --no-tty/-T: do not instantiate a tty --no-workdir/-nw: always start the container from container's home directory --additional-flags/-a: additional flags to pass to the container manager command diff --git a/docs/usage/distrobox-ephemeral.md b/docs/usage/distrobox-ephemeral.md index 9f2eace5ba..161917c2cf 100644 --- a/docs/usage/distrobox-ephemeral.md +++ b/docs/usage/distrobox-ephemeral.md @@ -18,7 +18,7 @@ when the command is terminated. specify it through the DBX_SUDO_PROGRAM env variable, or 'distrobox_sudo_program' config variable) --verbose/-v: show more verbosity --help/-h: show this message - --/-e: end arguments execute the rest as command to execute at login default: su ${USER} + --/-e: end arguments execute the rest as command to execute at login default: default $USER's shell --version/-V: show version # EXAMPLES