I live in a world of nobodies!

[thcrt]

Sorry for the flippant title.

The issue is that programs running under boxxy see all users as nobody, with the exception of the user launching the program. For instance:

# proving my root filesystem isn't completely broken
➜  ~ ls -l /
total 56
lrwxrwxrwx   1 root root     7 Jan 31 21:51 bin -> usr/bin
drwxr-xr-x   4 root root  4096 Jan  1  1970 boot
drwxr-xr-x  21 root root  4240 Jun  5 20:20 dev
drwxr-xr-x  76 root root  4096 Jun  5 20:20 etc
drwxr-xr-x   4 root root  4096 May 28 11:38 home
lrwxrwxrwx   1 root root     7 Jan 31 21:51 lib -> usr/lib
lrwxrwxrwx   1 root root     7 Jan 31 21:51 lib64 -> usr/lib
drwx------   2 root root 16384 Apr 30 13:59 lost+found
drwxr-xr-x   3 root root  4096 May 28 10:04 media
drwxr-xr-x   2 root root  4096 Jan 31 21:51 mnt
drwxr-xr-x   8 root root  4096 May 12 21:35 opt
dr-xr-xr-x 287 root root     0 Jun  5 20:20 proc
drwx------   6 root root  4096 May 27 23:27 root
drwxr-xr-x  25 root root   580 Jun  5 20:20 run
lrwxrwxrwx   1 root root     7 Jan 31 21:51 sbin -> usr/bin
drwxr-xr-x   4 root root  4096 Apr 30 14:03 srv
dr-xr-xr-x  13 root root     0 Jun  5 20:20 sys
drwxrwxrwt  12 root root   280 Jun  5 20:23 tmp
drwxr-xr-x  10 root root  4096 May 28 21:52 usr
drwxr-xr-x  12 root root  4096 May 30 17:06 var

# now let's see what boxxy sees
➜  ~ boxxy ls -l /
 INFO  boxxy > loading rules from /home/alex/.local/config/boxxy/boxxy.yaml
 INFO  boxxy > loaded 5 total rule(s)
 INFO  boxxy::enclosure > applying 5 rules
 INFO  boxxy::enclosure > applying rule [...]
 INFO  boxxy::enclosure > boxed "ls" ♥
total 56
lrwxrwxrwx   1 nobody nobody     7 Jan 31 21:51 bin -> usr/bin
drwxr-xr-x   4 nobody nobody  4096 Jan  1  1970 boot
drwxr-xr-x  21 nobody nobody  4240 Jun  5 20:20 dev
drwxr-xr-x  76 nobody nobody  4096 Jun  5 20:20 etc
drwxr-xr-x   4 nobody nobody  4096 May 28 11:38 home
lrwxrwxrwx   1 nobody nobody     7 Jan 31 21:51 lib -> usr/lib
lrwxrwxrwx   1 nobody nobody     7 Jan 31 21:51 lib64 -> usr/lib
drwx------   2 nobody nobody 16384 Apr 30 13:59 lost+found
drwxr-xr-x   3 nobody nobody  4096 May 28 10:04 media
drwxr-xr-x   2 nobody nobody  4096 Jan 31 21:51 mnt
drwxr-xr-x   8 nobody nobody  4096 May 12 21:35 opt
dr-xr-xr-x 289 nobody nobody     0 Jun  5 20:20 proc
drwx------   6 nobody nobody  4096 May 27 23:27 root
drwxr-xr-x  25 nobody nobody   580 Jun  5 20:20 run
lrwxrwxrwx   1 nobody nobody     7 Jan 31 21:51 sbin -> usr/bin
drwxr-xr-x   4 nobody nobody  4096 Apr 30 14:03 srv
dr-xr-xr-x  13 nobody nobody     0 Jun  5 20:20 sys
drwxrwxrwt  12 nobody nobody   280 Jun  5 20:23 tmp
drwxr-xr-x  10 nobody nobody  4096 May 28 21:52 usr
drwxr-xr-x  12 nobody nobody  4096 May 30 17:06 var

# i can still see perms on my own files though
➜  ~ boxxy ls -l ~
 INFO  boxxy > loading rules from /home/alex/.local/config/boxxy/boxxy.yaml
 INFO  boxxy > loaded 5 total rule(s)
 INFO  boxxy::enclosure > applying 5 rules
 INFO  boxxy::enclosure > applying rule [...]
 INFO  boxxy::enclosure > boxed "ls" ♥
total 92
drwx------ 2 alex alex  4096 Jun  4 21:40 Downloads
drwx------ 5 alex alex  4096 May 13 20:41 Projects

This causes a few issues, such as not being able to sudo:

➜  ~ boxxy sudo echo
 INFO  boxxy > loading rules from /home/alex/.local/config/boxxy/boxxy.yaml
 INFO  boxxy > loaded 5 total rule(s)
 INFO  boxxy::enclosure > applying 5 rules
 INFO  boxxy::enclosure > applying rule [...]
 INFO  boxxy::enclosure > boxed "sudo" ♥
sudo: /etc/sudo.conf is owned by uid 65534, should be 0
sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set

[queer]

Mapping the root user into the container is... difficult... and I have not found a workable solution yet. See also #6.

[queer]

You can also see how the current user-mapping mechanism works here:

boxxy/src/enclosure/mod.rs

Lines 96 to 132 in ae9fa1d

	// Map current UID + GID into the container so that things continue to
	// work as expected.
	// Get current UID + GID
	let uid = nix::unistd::geteuid();
	let gid = nix::unistd::getegid();
	// Call newuidmap + newgidmap
	// TODO: This is hacky. I don't like this.
	// It's... difficult... to map uids/gids properly. There is a proper
	// mechanism for doing so, but it's a part of the `shadow` package, and
	// I don't want to generate C bindings right now. Instead, this just
	// tries to map them over and over, removing broken uids/gids until it
	// happens to work.
	// This isn't optimal, but it works.
	if let Some(user) = User::from_uid(uid)? {
	let mut uid_map = HashMap::new();
	uid_map.insert(user.uid, user.uid);
	linux::map_uids(pid, &mut uid_map)?;
	let mut gid_map = HashMap::new();
	gid_map.insert(user.gid, user.gid);
	gid_map.insert(Gid::from_raw(0), Gid::from_raw(0));
	getgrouplist(&CString::new(user.name)?, gid)?
	.iter()
	.for_each(|gid| {
	gid_map.insert(*gid, *gid);
	});
	linux::map_gids(pid, &mut gid_map)?;
	debug!("finished setting up uid/gid mapping");
	} else {
	unreachable!("it should be impossible to have a user that doesn't have your uid");
	}

boxxy/src/enclosure/linux.rs

Lines 9 to 63 in ae9fa1d

	pub fn map_uids<I: Into<i32>>(pid: I, uids: &mut HashMap<Uid, Uid>) -> Result<()> {
	let pid = pid.into();
	let mut args = vec![pid.to_string()];
	for (old_uid, new_uid) in uids.iter() {
	args.push(old_uid.to_string());
	args.push(new_uid.to_string());
	args.push("1".to_string());
	}
	let newuidmap = Command::new("newuidmap").args(args).output();
	if newuidmap.is_err() {
	return newuidmap.map(|_| ()).map_err(|e| e.into());
	}
	let newuidmap = newuidmap?;
	let stderr = String::from_utf8(newuidmap.stderr)?;
	if let Some(bad_uid) = check_mapping_regex(r"newuidmap: uid range \[(\d+)-.*", &stderr)? {
	// Remove bad uid, continue to call newuidmap until it works
	uids.remove(&Uid::from_raw(bad_uid));
	return map_uids(pid, uids);
	}
	debug!("mapped uids {:#?}", uids);
	Ok(())
	}
	pub fn map_gids<I: Into<i32>>(pid: I, gids: &mut HashMap<Gid, Gid>) -> Result<()> {
	let pid = pid.into();
	let mut args = vec![pid.to_string()];
	for (old_gid, new_gid) in gids.iter() {
	args.push(old_gid.to_string());
	args.push(new_gid.to_string());
	args.push("1".to_string());
	}
	let newgidmap = Command::new("newgidmap").args(args).output();
	if newgidmap.is_err() {
	return newgidmap.map(|_| ()).map_err(|e| e.into());
	}
	let newgidmap = newgidmap?;
	let stderr = String::from_utf8(newgidmap.stderr)?;
	if let Some(bad_gid) = check_mapping_regex(r"newgidmap: gid range \[(\d+)-.*", &stderr)? {
	// Remove bad gid, continue to call newgidmap until it works
	gids.remove(&Gid::from_raw(bad_gid));
	return map_gids(pid, gids);
	}
	debug!("mapped gids {:#?}", gids);
	Ok(())
	}

I'm open to suggestions on how to do a better job with it, since I haven't found one yet.

[thcrt]

Wait, so this has always been the case? I could have sworn I used sudo in a boxxed VSCodium before.

That is indeed frustrating. Well, it is what it is -- I understand it's a difficult problem, and this is a very nice project nonetheless. I may have to Pandora-ify VSCodium for now though.

[queer]

I may have to Pandora-ify VSCodium for now though.

If it helps, the way I solved this problem was to add a shell config to VSC to SSH into my machine and cd to the project directory. Not the nicest solution, but it does work...

[thcrt]

holy shit that's disgusting. i might also do it though