Allowing root user about erlexec HOT 5 CLOSED

The way to use this feature in the existing version of exec is through means of capabilities. When the exec process is started with -user User option , it'll switch effective user to User and set the setuid capability so that it would be able to start child processes using {user, SomeUser} option, where SomeUser could be any user including root.

from erlexec.

We're running tests inside of our CI which is done via GitLab CI and the official elixir image. The CI is automatically run as root.

I see no reason why a library should prevent me from doing exactly that.

I would propose that either the root checking condition that throws is removed or that there is at least a config option disabling the check both in the erlang & c++ code.

from erlexec.

That error is fixed in the latest commit. The reason the library makes it harder (but not impossible) to run as root is that it's easy to accidentally damage the system (think of exec:run("rm -rf *")), or to have unauthorized users do or see stuff they are not supposed to do or see.

from erlexec.

What you are proposing to do would impose a serious security risk as the erlexec could run any command on the system with root privileges for any user who doesn't have such privileges.

In the limited context where you don't care about such a security issue, you can accomplish that by using the proper startup options, described in the overview under the Allowing exec-port to run commands as other effective users example. There you would specify {user, "root"}, {limit_users, ["root"]} options to run at your own risk.

from erlexec.

@saleyn I tried to specifically setting the root user as an option, but this triggered the following warning:
https://github.com/saleyn/erlexec/blob/master/c_src/exec.cpp#L492

If I run any application as root, it is expected that the application also can use those rights. I don't understand why it should be different for this library...?

from erlexec.