dev: use su-exec for change of user

Author: da2ce7

.github/workflows/publish_docker_image.yml

@@ -76,7 +76,7 @@ jobs:
         uses: docker/build-push-action@v4
         with:
           context: .
-          file: ./Dockerfile
+          file: ./Containerfile
           build-args: |
             RUN_AS_USER=${{ env.TORRUST_TRACKER_RUN_AS_USER }}
           push: ${{ github.event_name != 'pull_request' }}

Containerfile

@@ -21,6 +21,9 @@ RUN mkdir -p /app/share/torrust/default/database/; \
     touch /app/share/torrust/default/database/tracker.sqlite3.db; \
     echo ";" | sqlite3 /app/share/torrust/default/database/tracker.sqlite3.db
 
+COPY ./contrib/dev-tools/su-exec/ /tmp/su-exec/
+RUN cc -Wall -Werror -g /tmp/su-exec/su-exec.c -o /tmp/su-exec/su-exec
+
 
 ## Chef Prepare (look at project and see wat we need)
 FROM chef AS recipe
@@ -88,7 +91,8 @@ RUN chown -R root:root /app; chmod -R u=rw,go=r,a+X /app; chmod -R a+x /app/bin
 
 ## Runtime
 FROM gcr.io/distroless/cc:debug as runtime
-RUN ["/busybox/cp", "-sp", "/busybox/sh", "/bin/sh"]
+RUN ["/busybox/cp", "-sp", "/busybox/sh","/busybox/cat","/busybox/ls","/busybox/env", "/bin/"]
+COPY --from=tester --chmod=0555 /tmp/su-exec/su-exec /bin/su-exec
 
 ARG TORRUST_TRACKER_PATH_CONFIG="/etc/torrust/tracker/config.toml"
 ARG USER_ID=1000
@@ -107,32 +111,25 @@ EXPOSE ${UDP_PORT}/udp
 EXPOSE ${HTTP_PORT}/tcp
 EXPOSE ${API_PORT}/tcp
 
-WORKDIR /home/torrust
-RUN adduser --disabled-password --uid "${USER_ID}" "torrust"
-
-RUN mkdir -p /var/lib/torrust/tracker; chown -R "${USER_ID}":"${USER_ID}" /var/lib/torrust; chmod -R 2770 /var/lib/torrust
-RUN mkdir -p /var/log/torrust/tracker; chown -R "${USER_ID}":"${USER_ID}" /var/log/torrust; chmod -R 2770 /var/log/torrust
-RUN mkdir -p /etc/torrust/tracker; chown -R "${USER_ID}":"${USER_ID}" /etc/torrust; chmod -R 2770 /etc/torrust
+RUN mkdir -p /var/lib/torrust/tracker /var/log/torrust/tracker /etc/torrust/tracker
 
 ENV ENV=/etc/profile
-COPY --chmod=0555 ./share/docker/entry_script_sh /usr/local/bin/entry.sh
+COPY --chmod=0555 ./share/container/entry_script_sh /usr/local/bin/entry.sh
 
-RUN echo '[ ! -z "$TERM" -a -r /etc/motd ] && cat /etc/motd' >> /etc/profile
-
-USER "torrust":"torrust"
 VOLUME ["/var/lib/torrust/tracker","/var/log/torrust/tracker","/etc/torrust/tracker"]
-ENTRYPOINT ["entry.sh"]
+
+ENTRYPOINT ["/usr/local/bin/entry.sh"]
 
 ## Torrust-Tracker (debug)
 FROM runtime as debug
 COPY --from=test_debug /app/ /usr/
-COPY --chmod=0644 ./share/docker/motd.debug /etc/motd
+COPY --chmod=0644 ./share/container/motd.debug /etc/motd
 RUN env
 CMD ["sh"]
 
 ## Torrust-Tracker (release) (default)
 FROM runtime as release
 COPY --from=test /app/ /usr/
-COPY --chmod=0644  ./share/docker/motd.release /etc/motd
+COPY --chmod=0644  ./share/container/motd.release /etc/motd
 # HEALTHCHECK CMD ["/usr/bin/wget", "--no-verbose", "--tries=1", "--spider", "localhost:${API_PORT}/version"]
 CMD ["/usr/bin/torrust-tracker"]

README.md

@@ -45,9 +45,13 @@ git clone https://github.com/torrust/torrust-tracker.git \
   && mkdir -p ./storage/ssl_certificates
 ```
 
-And then run `cargo run` twice. The first time to generate the `tracker.toml` file and the second time to run the tracker with the default configuration.
+The tracker gets it's default configuration from the [share/default/config](./share/default/config/) folder: either [´tracker.sqlite3.development.toml´](./share/default/config/tracker.sqlite3.development.toml), the [local default](./src/bootstrap/config.rs#L18); or [′tracker.sqlite3.distribution.toml´](./share/default/config/tracker.sqlite3.distribution.toml), the [container default](./share/container/entry_script_s#L10).
 
-After running the tracker these services will be available:
+To specify a different configuration file, supply it's path on an environmental variable: [`TORRUST_TRACKER_PATH_CONFIG`](./src/bootstrap/config.rs#L15), or simply supply your entire configuration on the environmental variable itself: [`TORRUST_TRACKER_CONFIG`](./src/bootstrap/config.rs#L11).
+
+You can also supply the api administration token via an environmental variable: [`ENV_VAR_API_ADMIN_TOKEN`](./src/bootstrap/config.rs#L12).
+
+After running the tracker these services will be available (as defined in the default configuration):
 
 * UDP tracker: `udp://127.0.0.1:6969/announce`.
 * HTTP tracker: `http://127.0.0.1:6969/announce`.

cSpell.json

@@ -58,6 +58,7 @@
         "libsqlite",
         "libtorrent",
         "libz",
+        "LOGNAME",
         "Lphant",
         "metainfo",
         "middlewares",
@@ -95,6 +96,7 @@
         "Seedable",
         "Shareaza",
         "sharktorrent",
+        "SHLVL",
         "socketaddr",
         "sqllite",
         "subsec",
@@ -114,6 +116,7 @@
         "uroot",
         "Vagaa",
         "Vuze",
+        "Werror",
         "whitespaces",
         "XBTT",
         "Xeon",
@@ -123,6 +126,7 @@
         "yyyyyyyyyyyyyyyyyyyyd"
     ],
     "enableFiletypes": [
-        "dockerfile"
+        "dockerfile",
+        "shellscript"
     ]
 }

contrib/dev-tools/containers/README.md

@@ -8,31 +8,39 @@
 ```s
 $ tree storage/
 storage/
-├── database
-│   └── data.db
-└── ssl_certificates
-    ├── localhost.crt
-    └── localhost.key
+├── lib
+│   ├── database
+│   │   └── sqlite3.db     <=[auto populated]
+│   └── ssl_certificates
+│       ├── localhost.crt  <=[user supplied]
+│       └── localhost.key  <=[user supplied]
+├── log                    * (future use)
+└── etc
+    └── config.toml        <=[auto populated]
 ```
-
+*
 > NOTE: you only need the `ssl_certificates` directory and certificates in case you have enabled SSL for the one HTTP tracker or the API.
 
 ## Demo environment
 
-You can run a single command to setup the tracker with the default
+It is simple to setup the tracker with the default
 configuration and run it using the pre-built public docker image:
 
+(in new a new directory)
+
 ```s
-curl -L --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/torrust/torrust-tracker/v3.0.0-alpha.3/bin/install-demo.sh | bash
-export TORRUST_TRACKER_USER_UID=1000 \
-  && docker run -it \
-    --user="$TORRUST_TRACKER_USER_UID" \
+mkdir -p ./storage/lib/ ./storage/log/ ./storage/etc/
+
+docker run -it \
+    --env USER_ID:$(id -u)
     --publish 6969:6969/udp \
     --publish 7070:7070/tcp \
     --publish 1212:1212/tcp \
-    --volume "$(pwd)/storage":"/app/storage" \
-    --volume "$(pwd)/tracker.toml":"/app/tracker.toml":ro \
-    torrust/tracker:3.0.0-alpha.3
+    --volume ./storage/lib:/var/lib/torrust/tracker \
+    --volume ./storage/log:/var/log/torrust/tracker \
+    --volume ./storage/etc:/etc/torrust/tracker \
+    torrust/tracker:3.0.0-beta.0
+
 ```
 
 This is intended to be used to run a quick demo of the application.

contrib/dev-tools/containers/docker-run-local-image.sh

@@ -1,7 +1,5 @@
 #!/bin/bash
 
-TORRUST_TRACKER_CONFIG=$(cat tracker.toml)
-
 docker run -it \
     --user="$(whoami)" \
     --publish 6969:6969/udp \

contrib/dev-tools/su-exec/LICENSE

@@ -0,0 +1,22 @@
+The MIT License (MIT)
+
+Copyright (c) 2015 ncopa
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+

contrib/dev-tools/su-exec/Makefile

@@ -0,0 +1,17 @@
+
+CFLAGS ?= -Wall -Werror -g
+LDFLAGS ?=
+
+PROG := su-exec
+SRCS := $(PROG).c
+
+all: $(PROG)
+
+$(PROG): $(SRCS)
+	$(CC) $(CFLAGS) -o $@ $^ $(LDFLAGS)
+
+$(PROG)-static: $(SRCS)
+	$(CC) $(CFLAGS) -o $@ $^ -static $(LDFLAGS)
+
+clean:
+	rm -f $(PROG) $(PROG)-static

contrib/dev-tools/su-exec/README.md

@@ -0,0 +1,46 @@
+# su-exec
+switch user and group id, setgroups and exec
+
+## Purpose
+
+This is a simple tool that will simply execute a program with different
+privileges. The program will be executed directly and not run as a child,
+like su and sudo does, which avoids TTY and signal issues (see below).
+
+Notice that su-exec depends on being run by the root user, non-root
+users do not have permission to change uid/gid.
+
+## Usage
+
+```shell
+su-exec user-spec command [ arguments... ]
+```
+
+`user-spec` is either a user name (e.g. `nobody`) or user name and group
+name separated with colon (e.g. `nobody:ftp`). Numeric uid/gid values
+can be used instead of names. Example:
+
+```shell
+$ su-exec apache:1000 /usr/sbin/httpd -f /opt/www/httpd.conf
+```
+
+## TTY & parent/child handling
+
+Notice how `su` will make `ps` be a child of a shell while `su-exec`
+just executes `ps` directly.
+
+```shell
+$ docker run -it --rm alpine:edge su postgres -c 'ps aux'
+PID   USER     TIME   COMMAND
+    1 postgres   0:00 ash -c ps aux
+   12 postgres   0:00 ps aux
+$ docker run -it --rm -v $PWD/su-exec:/sbin/su-exec:ro alpine:edge su-exec postgres ps aux
+PID   USER     TIME   COMMAND
+    1 postgres   0:00 ps aux
+```
+
+## Why reinvent gosu?
+
+This does more or less exactly the same thing as [gosu](https://github.com/tianon/gosu)
+but it is only 10kb instead of 1.8MB.
+

contrib/dev-tools/su-exec/su-exec.c

@@ -0,0 +1,109 @@
+/* set user and group id and exec */
+
+#include <sys/types.h>
+
+#include <err.h>
+#include <errno.h>
+#include <grp.h>
+#include <pwd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+static char *argv0;
+
+static void usage(int exitcode)
+{
+	printf("Usage: %s user-spec command [args]\n", argv0);
+	exit(exitcode);
+}
+
+int main(int argc, char *argv[])
+{
+	char *user, *group, **cmdargv;
+	char *end;
+
+	uid_t uid = getuid();
+	gid_t gid = getgid();
+
+	argv0 = argv[0];
+	if (argc < 3)
+		usage(0);
+
+	user = argv[1];
+	group = strchr(user, ':');
+	if (group)
+		*group++ = '\0';
+
+	cmdargv = &argv[2];
+
+	struct passwd *pw = NULL;
+	if (user[0] != '\0') {
+		uid_t nuid = strtol(user, &end, 10);
+		if (*end == '\0')
+			uid = nuid;
+		else {
+			pw = getpwnam(user);
+			if (pw == NULL)
+				err(1, "getpwnam(%s)", user);
+		}
+	}
+	if (pw == NULL) {
+		pw = getpwuid(uid);
+	}
+	if (pw != NULL) {
+		uid = pw->pw_uid;
+		gid = pw->pw_gid;
+	}
+
+	setenv("HOME", pw != NULL ? pw->pw_dir : "/", 1);
+
+	if (group && group[0] != '\0') {
+		/* group was specified, ignore grouplist for setgroups later */
+		pw = NULL;
+
+		gid_t ngid = strtol(group, &end, 10);
+		if (*end == '\0')
+			gid = ngid;
+		else {
+			struct group *gr = getgrnam(group);
+			if (gr == NULL)
+				err(1, "getgrnam(%s)", group);
+			gid = gr->gr_gid;
+		}
+	}
+
+	if (pw == NULL) {
+		if (setgroups(1, &gid) < 0)
+			err(1, "setgroups(%i)", gid);
+	} else {
+		int ngroups = 0;
+		gid_t *glist = NULL;
+
+		while (1) {
+			int r = getgrouplist(pw->pw_name, gid, glist, &ngroups);
+
+			if (r >= 0) {
+				if (setgroups(ngroups, glist) < 0)
+					err(1, "setgroups");
+				break;
+			}
+
+			glist = realloc(glist, ngroups * sizeof(gid_t));
+			if (glist == NULL)
+				err(1, "malloc");
+		}
+	}
+
+	if (setgid(gid) < 0)
+		err(1, "setgid(%i)", gid);
+
+	if (setuid(uid) < 0)
+		err(1, "setuid(%i)", uid);
+
+	execvp(cmdargv[0], cmdargv);
+	err(1, "%s", cmdargv[0]);
+
+	return 1;
+}