-
Notifications
You must be signed in to change notification settings - Fork 261
Run command as specific user in gsc #2527
Comments
Good catch. Indeed, we just assumed the @vahldiek Do you know of a quick fix for this? |
I believe the easiest, since Alternatively, one could generate the GSC image without the FROM gsc-myimage
USER example But I have no idea for a generic solution that doesn't involve root, since we need root privileges to install new packages. We could also build in a command into GSC which adds a particular user after all of GSC is done. But this would require an extra parameter either in the configuration or runtime argument to |
Thanks für your reply but I think there is one problem with these solutions. The entrypoint scripts need root permissions too. Or am I wrong? |
It shouldn't, but maybe some permissions on the FS are wrong and that's why it fails? Overall running Graphene shouldn't require root, but on some distros it may require being in specific groups to get access to the SGX devices ( |
user@user-OptiPlex-3070:~/Developments/graphene/Tools/gsc$ docker run --device=/dev/sgx_enclave -v /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket gsc-postgres-graphene -c "whoami"
+ '[' -z '' ']'
+ GSC_PAL=Linux-SGX
+ /graphene/python/graphene-sgx-get-token -output /entrypoint.token -sig /entrypoint.sig
Attributes:
mr_enclave: e917708cdf2a5375ffa0fbd1c32d68727099ad1628375e92488b5ff49873dc41
mr_signer: f7eda00a2be415de0f32e77ac28121e7d20c9f2a979a689d0fc9403b46ed2ea9
isv_prod_id: 0
isv_svn: 0
attr.flags: 0600000000000000
attr.xfrm: 1f00000000000000
misc_select: 00000000
misc_mask: 00000000
modulus: 7523c0d9dd361760a44614c88e3cce95...
exponent: 3
signature: 377fb62638719a3fdd8719a874f23d29...
date: 2021-07-11
+ /graphene/Runtime/pal-Linux-SGX /graphene/Runtime/libpal-Linux-SGX.so init /entrypoint -c whoami
error: Using insecure argv source. Graphene will continue application execution, but this configuration must not be used in production!
root
user@user-OptiPlex-3070:~/Developments/graphene/Tools/gsc$ docker run --user=postgres --device=/dev/sgx_enclave -v /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket gsc-postgres-graphene -c "whoami"
+ '[' -z '' ']'
+ GSC_PAL=Linux-SGX
+ /graphene/python/graphene-sgx-get-token -output /entrypoint.token -sig /entrypoint.sig
usage: graphene-sgx-get-token [-h] --sig SIGNATURE [--output OUTPUT]
graphene-sgx-get-token: error: argument --output/-output: can't open '/entrypoint.token': [Errno 13] Permission denied: '/entrypoint.token'
This is what I did. But there are no permissions on |
The issue is that user IDs inside docker don't necessarily match the once found outside. The best discussion of this I could find is documented here: https://blog.gougousis.net/file-permissions-the-painful-side-of-docker/ Basically, when creating a new user ID inside Docker, make sure that it matches the user ID outside, otherwise file permission won't work. The same holds true for group memberships. So please make sure whatever user/group is allowed to access files and SGX devices matches what is found inside of Docker. |
Thanks for your reply. That is true. But I do not mount the |
Description of the problem
We try to run a command as a specific user inside a graphene container. We do not want the
root
user to execute our commands.Steps to reproduce
Follow the instructions of the Graphene Shielded Containers.
In Step 3 do not use the prebuild python image. Use a custom Dockerfile with a custom user.
If you continue in Step 4 there is a permission error because
gsc-build
needsroot
permissions.Expected results
Graphene should use the
root
user to install dependencies.Actual results
Graphene use the user given by the base image.
Is there any chance to use the
USER
keyword inside the baseDockerfile
?The text was updated successfully, but these errors were encountered: