Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Question about root ownership? #29

Open
hedefalk opened this issue Jun 28, 2023 · 3 comments
Open

Question about root ownership? #29

hedefalk opened this issue Jun 28, 2023 · 3 comments

Comments

@hedefalk
Copy link

hedefalk commented Jun 28, 2023
edited
Loading

I guess this needs to be run as root for the tunneling - but is there any way to separate the actual running from taking ownership of the paths? I get this on starting the service:

Warning: Taking root:admin ownership of some docker-mac-net-connect paths:
  /opt/homebrew/Cellar/docker-mac-net-connect/v0.1.2/bin
  /opt/homebrew/Cellar/docker-mac-net-connect/v0.1.2/bin/docker-mac-net-connect
  /opt/homebrew/opt/docker-mac-net-connect
  /opt/homebrew/opt/docker-mac-net-connect/bin
  /opt/homebrew/var/homebrew/linked/docker-mac-net-connect
This will require manual removal of these paths using `sudo rm` on
brew upgrade/reinstall/uninstall.
Warning: docker-mac-net-connect must be run as non-root to start at user login!
@hedefalk hedefalk changed the title non-root Question - run as non-root or as root? Jun 28, 2023
@hedefalk hedefalk changed the title Question - run as non-root or as root? Question about root ownership? Jun 28, 2023
@gregnr
Copy link
Member

gregnr commented Jun 28, 2023
edited
Loading

You bring up a good point @hedefalk. Unfortunately it doesn't look like this is configurable on the brew services side. Looking into their source, looks like they intentionally do this as a protection measure:
https://github.com/Homebrew/homebrew-services/blob/d39f864ddffda7a8c47dc95cd284b50683db9653/lib/service/services_cli.rb#L183

Since sudo brew services start registers the app to run on boot (as root), I imagine brew is trying to prevent users from accidentally modifying/removing it. Not 100% sure what would happen if it was modified to be honest, ie. would macos fail to boot if it couldn't run the app?

sudo brew services start uses launchctl under the hood, so we could consider bypassing brew services and register the app manually (without modifying ownership). I think I'd like to fully understand why brew services does this first before making that decision.

@RafalSkolasinski
Copy link

would macos fail to boot if it couldn't run the app?

that would be pretty scary...

I imagine brew is trying to prevent users from accidentally modifying/removing it

Could it be due to security risks related to running as root? By preventing modifying it they prevent using the service to gain root permissions?

@gregnr
Copy link
Member

gregnr commented Sep 15, 2024

@RafalSkolasinski yep great point, this seems like the most likely explanation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hedefalk @gregnr @RafalSkolasinski