3

In my docker container I am running a command as a specific user like this from entrypoint.sh:

sudo -u appuser "$@"

This works fine, however, it doesn't set any of the environment variables that get created by using the --link option while running the container.

Question

Is it possible to set all environment variables that exist for a root user to some other specific user (in this example appuser)

Note: related question to this discussion. This is the reason I can't just use the USER command How to give non-root user in Docker container access to a volume mounted on the host

Community
  • 1
  • 1
Anthony
  • 33,838
  • 42
  • 169
  • 278
  • Thanks for making this a new question rather than turning that other answer into a giant comment thread! – larsks Sep 09 '16 at 01:26

1 Answers1

3

The sudo command, because it is designed as a tool for privilege escalation, intentionally sanitizes the environment before switching to a new user id. If you take a look at the sudo man page, you'll find:

 -E, --preserve-env
             Indicates to the security policy that the user wishes to preserve their existing
             environment variables.  The security policy may return an error if the user does not
             have permission to preserve the environment.

So instead of sudo -u appuser somecommand, just use sudo -E -u appuser somecommand.

The runuser command is provided by the util-linux package in recent versions of Ubuntu, and does not perform any environment initialization by default. For example:

$ docker pull ubuntu
$ docker run -it --rm ubuntu /bin/bash
root@ded49ffde72e:/# runuser --help

Usage:
 runuser [options] -u <user> <command>
 runuser [options] [-] [<user> [<argument>...]]
[...]

This is with Ubuntu Xenial (but the runuser command also appears to be available on ubuntu:vivid, but is not available under ubuntu:trusty).

So your options are:

  • Use sudo -E, or
  • Use a more recent Ubuntu image
larsks
  • 277,717
  • 41
  • 399
  • 399
  • I came back to answer my own question but you are too quick for me. `-E` to the rescue! – Anthony Sep 09 '16 at 01:29
  • For some reason, sudo -E does not preserve PATH or LD_LIBRARY_PATH for me... Other environment variables are preserved... I don't get it... echo $PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games sudo -E -u bryanloz bash -c 'echo $PATH' /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin – CraigDavid Jul 21 '22 at 22:55
  • `$LD_LIBRARY_PATH` will not be preserved because `sudo` is setuid root, and the operating system itself will not permit you to pass `LD_LIBRARY_PATH` across a setuid boundary (see the [`ld.so` man page](https://man7.org/linux/man-pages/man8/ld.so.8.html). `$PATH` is probably being reset by the `secure_path` setting in your `/etc/sudoers`. – larsks Jul 22 '22 at 00:11
  • 1
    Thanks, man! You saved my day! I was troubleshooting that shit for a few hours now...! – kapalkat Dec 01 '22 at 10:48