From: Daan De Meyer Date: Fri, 20 Sep 2024 18:02:05 +0000 (+0200) Subject: Use run0 instead of refusing to run commands that need root unprivileged X-Git-Tag: v25~274 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4593c66ddff08e09206b59b7023c9e4ca7db7b91;p=thirdparty%2Fmkosi.git Use run0 instead of refusing to run commands that need root unprivileged --- diff --git a/mkosi/__init__.py b/mkosi/__init__.py index 3bfae473f..327d2e469 100644 --- a/mkosi/__init__.py +++ b/mkosi/__init__.py @@ -3432,9 +3432,6 @@ def run_shell(args: Args, config: Config) -> None: if config.runtime_network == Network.user: cmdline += ["--resolv-conf=auto"] elif config.runtime_network == Network.interface: - if os.getuid() != 0: - die("RuntimeNetwork=interface requires root privileges") - cmdline += ["--private-network", "--network-veth"] elif config.runtime_network == Network.none: cmdline += ["--private-network"] @@ -3600,7 +3597,13 @@ def run_shell(args: Args, config: Config) -> None: stdout=sys.stdout, env=os.environ | config.environment, log=False, - sandbox=config.sandbox(binary="systemd-nspawn", devices=True, network=True, relaxed=True), + sandbox=config.sandbox( + binary="systemd-nspawn", + devices=True, + network=True, + relaxed=True, + setup=["run0"] if os.getuid() != 0 else [], + ), ) @@ -3617,7 +3620,9 @@ def run_systemd_tool(tool: str, args: Args, config: Config) -> None: and not config.forward_journal and os.getuid() != 0 ): - die(f"Must be root to run the {args.verb} command") + need_root = True + else: + need_root = False if (tool_path := config.find_binary(tool)) is None: die(f"Failed to find {tool}") @@ -3655,6 +3660,7 @@ def run_systemd_tool(tool: str, args: Args, config: Config) -> None: network=True, devices=config.output_format == OutputFormat.disk, relaxed=True, + setup=["run0"] if need_root else [], ), ) @@ -4118,9 +4124,6 @@ def run_build( def run_verb(args: Args, images: Sequence[Config], *, resources: Path) -> None: images = list(images) - if args.verb.needs_root() and os.getuid() != 0: - die(f"Must be root to run the {args.verb} command") - if args.verb == Verb.completion: return print_completion(args, resources=resources) diff --git a/mkosi/burn.py b/mkosi/burn.py index ffa8bb2e9..e76fbba0f 100644 --- a/mkosi/burn.py +++ b/mkosi/burn.py @@ -17,8 +17,6 @@ def run_burn(args: Args, config: Config) -> None: if len(args.cmdline) != 1: die("Expected device argument.") - device = args.cmdline[0] - cmd = [ "systemd-repart", "--no-pager", @@ -28,7 +26,7 @@ def run_burn(args: Args, config: Config) -> None: "--dry-run=no", "--definitions=/", f"--copy-from={fname}", - device, + *args.cmdline, ] with complete_step("Burning 🔥🔥🔥 to medium…", "Burnt. 🔥🔥🔥"): @@ -38,5 +36,11 @@ def run_burn(args: Args, config: Config) -> None: stdout=sys.stdout, env=os.environ | config.environment, log=False, - sandbox=config.sandbox(binary="systemd-repart", devices=True, network=True, relaxed=True), + sandbox=config.sandbox( + binary="systemd-repart", + devices=True, + network=True, + relaxed=True, + setup=["run0"] if os.getuid() != 0 else [], + ), ) diff --git a/mkosi/config.py b/mkosi/config.py index e1ca77522..4051c6538 100644 --- a/mkosi/config.py +++ b/mkosi/config.py @@ -103,9 +103,6 @@ class Verb(StrEnum): Verb.sysupdate, ) - def needs_root(self) -> bool: - return self in (Verb.shell, Verb.boot, Verb.burn) - def needs_config(self) -> bool: return self not in ( Verb.help, diff --git a/mkosi/sysupdate.py b/mkosi/sysupdate.py index 197d3a314..5cb216817 100644 --- a/mkosi/sysupdate.py +++ b/mkosi/sysupdate.py @@ -42,6 +42,7 @@ def run_sysupdate(args: Args, config: Config) -> None: devices=True, network=True, relaxed=True, + setup=["run0"] if os.getuid() != 0 else [], options=[ *(["--bind", "/boot", "/boot"] if Path("/boot").exists() else []), *(["--bind", "/efi", "/efi"] if Path("/efi").exists() else []),