From fab54bfafa92708e3df5d8fba127281ec7b52e6c Mon Sep 17 00:00:00 2001 From: Peter Cai Date: Sat, 31 Dec 2022 15:01:54 -0500 Subject: [PATCH] app_containers: Use UID instead of username for $run_as Note that we still assume the user name inside the container is `user`. --- app_containers/.local/bin/run_app_container | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/app_containers/.local/bin/run_app_container b/app_containers/.local/bin/run_app_container index 003021a..5fb485c 100755 --- a/app_containers/.local/bin/run_app_container +++ b/app_containers/.local/bin/run_app_container @@ -8,8 +8,8 @@ die() { exit() { rm -rf "$container_xdg_runtime" if [ "$CONTAINER_USE_USERNS" = true ]; then - setfacl -x u:$((private_users + 1000)) $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY - xhost -si:localuser:\#$((private_users + 1000)) + setfacl -x u:$((private_users + run_as)) $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY + xhost -si:localuser:\#$((private_users + run_as)) fi } @@ -45,11 +45,13 @@ fi [ -S $host_pulse ] || die "PulseAudio UNIX socket not found" -# Default username (assume `user` always has the same uid as the host user) -run_as=user +# Default user +run_as=$UID +# We assume the user named `user` inside the container always has the same UID as +# the user with uid $run_as on the host; this is currently not yet configurable homedir=/home/user if [ "$CONTAINER_RUN_AS_ROOT" = true ]; then - run_as=root + run_as=0 homedir=/root fi @@ -61,8 +63,8 @@ if [ "$CONTAINER_USE_USERNS" = true ]; then private_users=$(shuf -i 65536-$((2147483647 - 65536)) -n1) # Pick a random starting offset bind_opts="idmap" # Note: custom mounts specified by the user are expected to incldue the idmap option as well # Grant the user inside the namespace access to the Wayland / Xorg display - setfacl -m u:$((private_users + 1000)):rwx $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY - xhost +si:localuser:\#$((private_users + 1000)) + setfacl -m u:$((private_users + run_as)):rwx $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY + xhost +si:localuser:\#$((private_users + run_as)) fi SUDO_ASKPASS=$HOME/.local/bin/askpass-bemenu sudo -A systemd-nspawn -M $CONTAINER_NAME \