From fe9eaefee7f00d0fc72933dd5c81fd89da41fa09 Mon Sep 17 00:00:00 2001 From: videlanicolas Date: Mon, 10 May 2021 01:41:09 +1000 Subject: [PATCH 1/2] Check the logged user instead of $USER Given that `sudo usermod --login "$DOCKER_USER" coder` and `sudo groupmod -n "$DOCKER_USER" coder` modify the container's disk it'll persist across restarts, but environment variables will be reset to whatever state they had at the end of `Dockerfile`. In this case, `$USER` is set to `coder`, so this branch will always be true. By checking with the output of `whoami`, which gets it's information from `/etc/passwd`, we make sure to get the real logged user and not the one defined by $USER. We also move `USER="$DOCKER_USER"` out of the branch, since we always want this to happen at entry-point. If we don't do this assignment, $USER will contain `coder` upon restart. --- ci/release-image/entrypoint.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ci/release-image/entrypoint.sh b/ci/release-image/entrypoint.sh index 1c8c8bfffb7a..9be5d1c6962e 100755 --- a/ci/release-image/entrypoint.sh +++ b/ci/release-image/entrypoint.sh @@ -5,15 +5,15 @@ set -eu # Otherwise the current container UID may not exist in the passwd database. eval "$(fixuid -q)" -if [ "${DOCKER_USER-}" ] && [ "$DOCKER_USER" != "$USER" ]; then +USER="$DOCKER_USER" + +if [ "${DOCKER_USER-}" ] && [ "$DOCKER_USER" != "$(whoami)" ]; then echo "$DOCKER_USER ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/nopasswd >/dev/null # Unfortunately we cannot change $HOME as we cannot move any bind mounts # nor can we bind mount $HOME into a new home as that requires a privileged container. sudo usermod --login "$DOCKER_USER" coder sudo groupmod -n "$DOCKER_USER" coder - USER="$DOCKER_USER" - sudo sed -i "/coder/d" /etc/sudoers.d/nopasswd fi From 1aed545b449a185aa5b41a2b1277f459712016d3 Mon Sep 17 00:00:00 2001 From: videlanicolas Date: Tue, 11 May 2021 08:56:48 +1000 Subject: [PATCH 2/2] Update entrypoint.sh Check `$DOCKER_USER` was defined before copying it to `$USER`. --- ci/release-image/entrypoint.sh | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/ci/release-image/entrypoint.sh b/ci/release-image/entrypoint.sh index 9be5d1c6962e..6eddae463bd7 100755 --- a/ci/release-image/entrypoint.sh +++ b/ci/release-image/entrypoint.sh @@ -5,16 +5,17 @@ set -eu # Otherwise the current container UID may not exist in the passwd database. eval "$(fixuid -q)" -USER="$DOCKER_USER" +if [ "${DOCKER_USER-}" ]; then + USER="$DOCKER_USER" + if [ "$DOCKER_USER" != "$(whoami)" ]; then + echo "$DOCKER_USER ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/nopasswd >/dev/null + # Unfortunately we cannot change $HOME as we cannot move any bind mounts + # nor can we bind mount $HOME into a new home as that requires a privileged container. + sudo usermod --login "$DOCKER_USER" coder + sudo groupmod -n "$DOCKER_USER" coder -if [ "${DOCKER_USER-}" ] && [ "$DOCKER_USER" != "$(whoami)" ]; then - echo "$DOCKER_USER ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/nopasswd >/dev/null - # Unfortunately we cannot change $HOME as we cannot move any bind mounts - # nor can we bind mount $HOME into a new home as that requires a privileged container. - sudo usermod --login "$DOCKER_USER" coder - sudo groupmod -n "$DOCKER_USER" coder - - sudo sed -i "/coder/d" /etc/sudoers.d/nopasswd + sudo sed -i "/coder/d" /etc/sudoers.d/nopasswd + fi fi dumb-init /usr/bin/code-server "$@"