Awesome
What
Executes a program as a user different from the user running sue
. The target program is exec
'ed which means, that it replaces the sue
process you are using to run the target program. This simulates native tools like su
and sudo
and uses the same low-level POSIX tools to achieve that, but eliminates common issues that usually arise, when using those native tools.
Why
As small and swift as su-exec
, but as featureful and robust as gosu
!
This and its alternatives all exist for pretty much the same core reason:
This is a simple tool grown out of the simple fact that
su
andsudo
have very strange and often annoying TTY and signal-forwarding behavior. They're also somewhat complex to setup and use (especially in the case ofsudo
), which allows for a great deal of expressivity, but falls flat if all you need is "run this specific application as this specific user and get out of the pipeline".
Why use sue
instead of su-exec
, gosu
or other alternatives?
An opinionated comparison!
Better than gosu
in these ways:
gosu
is written in Go, which is comparatively slow and bloated compared to other systems programming languages. sue
is written in Nim, which is comparable to C in terms of performance and size, while being actually maintainable & readable.
Better than su-exec
in these ways:
su-exec
is supposed to be a far more lightweight alternative to gosu
. As an example, the official Debian-based postgres
images use gosu
while the Alpine-based images use su-exec
.
The latter is written in C, meaning that the level of maintainability is kept pretty low. It also is focused entirely on size and less on providing every feature of gosu
in a more compact fashion. gosu
has a stricter and much more robust behaviour, than su-exec
.
sue
is on the other hand covering all gosu
test cases, meaning that it provides precisely the same feature set as gosu
while being only half the size and most likely being also more performant overall.
Better than chroot
in these ways:
chroot
is a bit clunky and not as straight-forward to use. For the use-case of the specific privilege management in Docker environments, this tool is not well suited, as it has originally a different overall purpose.
Better than setpriv
in these ways:
Similar to chroot
, setpriv
feels very clunky and you have to provide so much information explicitly, when it could be so much more straight-forward and easy to use, as is gosu
, su-exec
or sue
.
How
First, make sure you are running sue
as the root
user, to avoid permission issues.
Get the project and prepare it:
git clone https://github.com/theAkito/sue.git
cd sue
nimble configure
To build the project use one of the predefined tasks:
nimble fbuild
for the release build or
nimble dbuild
for the debug/development build.
You can also make a quick test if sue
works, as it should:
nimble test
Run the fully fledged test suite, covering a large amount of edge cases and possible flukes:
nimble xtest
This test suite covers all original gosu
test cases. Since all are passed successfully, we achieve full compatability with gosu
's behaviour.
The first argument passed to sue
is the user-spec with either the username or its id
. Appending a group
to the user-spec is optional.
The following examples assume a user named dunwall, belonging to a group of the same name and id
.
Example 1:
./sue dunwall src/test
Example 2:
./sue dunwall:dunwall src/test
Example 3:
./sue 1000:dunwall src/test
Where
This tool is meant to be used in a Docker environment, as a way to execute a program while temporarily switching the user just for running that process, as some need to be run as a specific user or need a designated user for taking over a user role in that program.
Real world example
The following example is taken from the official postgres:13-alpine
Docker image's docker-entrypoint.sh
script, where su-exec
is used to execute this startup script as the postgres
user, since PostgreSQL should be operated by the postgres
user.
if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then
docker_setup_env
# setup data directories and permissions (when run as root)
docker_create_db_directories
if [ "$(id -u)" = '0' ]; then
# then restart script as postgres user
exec su-exec postgres "$BASH_SOURCE" "$@"
fi
Note that use-cases like this one are the primary target of sue
. Using this program outside of a Docker container usually means that this tool is misused, as it is specifically designed for the type of purpose shown in the example above.
Goals
- Performance
- Size
- Maintainability
Project Status
All gosu
test cases are covered, achieving full compatability with gosu
's behaviour. Therefore, this alternative is just as stable as the widely popular gosu
.
TODO
Implement test suiteIncludegosu
test casesBetter error handling- Add base Docker image
- Add CI
- Separate inlined script from Dockerfile
- Optimize
License
Copyright © 2020-2022 Akito the@akito.ooo
This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program. If not, see https://www.gnu.org/licenses/.