Use run0 instead of refusing to run commands that need root unprivileged

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index 3bfae473fb12b2765158ddac9f5edea5b4164375..327d2e4690865f983e1f1b767e15a16f54d53208 100644 (file)
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -3432,9 +3432,6 @@ def run_shell(args: Args, config: Config) -> None:
     if config.runtime_network == Network.user:
         cmdline += ["--resolv-conf=auto"]
     elif config.runtime_network == Network.interface:
-        if os.getuid() != 0:
-            die("RuntimeNetwork=interface requires root privileges")
-
         cmdline += ["--private-network", "--network-veth"]
     elif config.runtime_network == Network.none:
         cmdline += ["--private-network"]
@@ -3600,7 +3597,13 @@ def run_shell(args: Args, config: Config) -> None:
             stdout=sys.stdout,
             env=os.environ | config.environment,
             log=False,
-            sandbox=config.sandbox(binary="systemd-nspawn", devices=True, network=True, relaxed=True),
+            sandbox=config.sandbox(
+                binary="systemd-nspawn",
+                devices=True,
+                network=True,
+                relaxed=True,
+                setup=["run0"] if os.getuid() != 0 else [],
+            ),
         )
 
 
@@ -3617,7 +3620,9 @@ def run_systemd_tool(tool: str, args: Args, config: Config) -> None:
         and not config.forward_journal
         and os.getuid() != 0
     ):
-        die(f"Must be root to run the {args.verb} command")
+        need_root = True
+    else:
+        need_root = False
 
     if (tool_path := config.find_binary(tool)) is None:
         die(f"Failed to find {tool}")
@@ -3655,6 +3660,7 @@ def run_systemd_tool(tool: str, args: Args, config: Config) -> None:
             network=True,
             devices=config.output_format == OutputFormat.disk,
             relaxed=True,
+            setup=["run0"] if need_root else [],
         ),
     )
 
@@ -4118,9 +4124,6 @@ def run_build(
 def run_verb(args: Args, images: Sequence[Config], *, resources: Path) -> None:
     images = list(images)
 
-    if args.verb.needs_root() and os.getuid() != 0:
-        die(f"Must be root to run the {args.verb} command")
-
     if args.verb == Verb.completion:
         return print_completion(args, resources=resources)
 

diff --git a/mkosi/burn.py b/mkosi/burn.py
index ffa8bb2e9c2a48630011a474a055637e998fdd77..e76fbba0f738cc9d2b76e6a62504fddf33959414 100644 (file)
--- a/mkosi/burn.py
+++ b/mkosi/burn.py
@@ -17,8 +17,6 @@ def run_burn(args: Args, config: Config) -> None:
     if len(args.cmdline) != 1:
         die("Expected device argument.")
 
-    device = args.cmdline[0]
-
     cmd = [
         "systemd-repart",
         "--no-pager",
@@ -28,7 +26,7 @@ def run_burn(args: Args, config: Config) -> None:
         "--dry-run=no",
         "--definitions=/",
         f"--copy-from={fname}",
-        device,
+        *args.cmdline,
     ]
 
     with complete_step("Burning 🔥🔥🔥 to medium…", "Burnt. 🔥🔥🔥"):
@@ -38,5 +36,11 @@ def run_burn(args: Args, config: Config) -> None:
             stdout=sys.stdout,
             env=os.environ | config.environment,
             log=False,
-            sandbox=config.sandbox(binary="systemd-repart", devices=True, network=True, relaxed=True),
+            sandbox=config.sandbox(
+                binary="systemd-repart",
+                devices=True,
+                network=True,
+                relaxed=True,
+                setup=["run0"] if os.getuid() != 0 else [],
+            ),
         )

diff --git a/mkosi/config.py b/mkosi/config.py
index e1ca775226b1ef8774f1fce0cb2422efd64cb662..4051c6538d9d290cfe3b92b671751beac4089ed9 100644 (file)
--- a/mkosi/config.py
+++ b/mkosi/config.py
@@ -103,9 +103,6 @@ class Verb(StrEnum):
             Verb.sysupdate,
         )
 
-    def needs_root(self) -> bool:
-        return self in (Verb.shell, Verb.boot, Verb.burn)
-
     def needs_config(self) -> bool:
         return self not in (
             Verb.help,

diff --git a/mkosi/sysupdate.py b/mkosi/sysupdate.py
index 197d3a314b200fa00e49fe1757d87f16f70c6f11..5cb2168179323927e2680b68a6a992a0bfad0420 100644 (file)
--- a/mkosi/sysupdate.py
+++ b/mkosi/sysupdate.py
@@ -42,6 +42,7 @@ def run_sysupdate(args: Args, config: Config) -> None:
             devices=True,
             network=True,
             relaxed=True,
+            setup=["run0"] if os.getuid() != 0 else [],
             options=[
                 *(["--bind", "/boot", "/boot"] if Path("/boot").exists() else []),
                 *(["--bind", "/efi", "/efi"] if Path("/efi").exists() else []),