Restrictive PATH with sudo
Ilya Dmitrichenko
errordeveloper at gmail.com
Sat Jan 10 12:18:36 UTC 2015
Hi Jamie,
I understood that sudo's secure_path aspect. And I also see that ivoking
docker commad doesn't indeed require root previlages. However, I am trying
to make it work with weave (https://github.com/zettio/weave), which runs
docker form a shell script that also runs ip and iptabkes commands that do
requite root previlages. I should have provided more context to this from
the beginging.
Cheers,
--
Ilya
On Sat, 10 Jan 2015 11:39 Jamie Strandboge <jamie at canonical.com> wrote:
> On 01/07/2015 12:26 PM, Ilya Dmitrichenko wrote:
> > Hi List,
> >
> Hi!
>
> > Currently one cannot run `sudo docker`, or any other app installed with
> snappy.
> > Has there been any motivation behind this or it's just a bug?
> >
> /etc/sudoers is setup currently to use both env_reset and secure_path.
> Because
> the 'docker' command is found in ~/snappy-bin and this path is not part of
> sudo's secure_path, sudo is not finding it. I confirmed this on the alpha
> image
> and the most recent promoted image.
>
> Note that as the 'ubuntu' user in the snappy images, you don't have to use
> sudo
> at all-- the 'ubuntu' user is part of the 'docker' group which should be
> all you
> need to use the docker cli command.
>
> To run arbitrary snappy app commands under sudo, for now you can do:
> $ sudo ~/snappy-bin/<cmd>
>
> Eg:
> $ sudo ~/snappy-bin/docker version
> ...
> Client version: 1.3.2-dev
> Client API version: 1.16
> Go version (client): go1.3.3
> Git commit (client): 906c721-dirty
> OS/Arch (client): linux/amd64
> Server version: 1.3.2-dev
> Server API version: 1.16
> Go version (server): go1.3.3
> Git commit (server): 906c721-dirty
>
>
> Note to users: ~/snappy-bin is being removed in favor of a cleaner
> solution.
>
> Note to snappy devs: we'll need to consider the sudo use case when
> designing/implementing the cleaner solution.
>
> --
> Jamie Strandboge http://www.ubuntu.com/
>
> --
> snappy-app-devel mailing list
> snappy-app-devel at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/
> mailman/listinfo/snappy-app-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/snappy-app-devel/attachments/20150110/611fcfe4/attachment.html>
More information about the snappy-app-devel
mailing list