feat: add --container-runuser option to use runuser instead of su

liannnix · liannnix · commit 0a45c1217176 · 2026-01-29T18:43:29.000+04:00
Add new --container-runuser/-R option that allows using runuser instead
of su inside container when unshare_groups is enabled. This can be
configured via:
- Command line: --container-runuser or -R
- Environment variable: DBX_CONTAINER_RUNUSER=1/true
- Config file: distrobox_container_runuser=1/true

The option defaults to disabled (0) to maintain backward compatibility.
diff --git a/distrobox-enter b/distrobox-enter
@@ -32,6 +32,7 @@
 #	DBX_CONTAINER_MANAGER
 #	DBX_CONTAINER_NAME
 #	DBX_CONTAINER_CLEAN_PATH
+#	DBX_CONTAINER_RUNUSER
 #	DBX_NON_INTERACTIVE
 #	DBX_VERBOSE
 #	DBX_SKIP_WORKDIR
@@ -109,6 +110,7 @@ headless=0
 skip_workdir=0
 verbose=0
 clean_path=0
+use_runuser=0
 version="1.8.2.3"
 
 # Source configuration files, this is done in an hierarchy so local files have
@@ -146,6 +148,9 @@ if [ "$(id -ru)" -ne 0 ]; then
 	distrobox_sudo_program=${DBX_SUDO_PROGRAM:-${distrobox_sudo_program:-"sudo"}}
 fi
 
+# Read distrobox_container_runuser from config or env
+distrobox_container_runuser=${DBX_CONTAINER_RUNUSER:-${distrobox_container_runuser:-0}}
+
 [ -n "${DBX_CONTAINER_MANAGER}" ] && container_manager="${DBX_CONTAINER_MANAGER}"
 [ -n "${DBX_CONTAINER_NAME}" ] && container_name="${DBX_CONTAINER_NAME}"
 [ -n "${DBX_CONTAINER_CLEAN_PATH}" ] && clean_path=1
@@ -158,6 +163,10 @@ fi
 [ "${non_interactive}" = "false" ] && non_interactive=0
 [ "${verbose}" = "true" ] && verbose=1
 [ "${verbose}" = "false" ] && verbose=0
+[ "${distrobox_container_runuser}" = "true" ] && use_runuser=1
+[ "${distrobox_container_runuser}" = "false" ] && use_runuser=0
+[ "${distrobox_container_runuser}" = "1" ] && use_runuser=1
+[ "${distrobox_container_runuser}" = "0" ] && use_runuser=0
 
 # show_help will print usage to stdout.
 # Arguments:
@@ -193,6 +202,7 @@ Options:
 	--root/-r:		launch podman/docker/lilipod with root privileges. Note that if you need root this is the preferred
 				way over "sudo distrobox" (note: if using a program other than 'sudo' for root privileges is necessary,
 				specify it through the DBX_SUDO_PROGRAM env variable, or 'distrobox_sudo_program' config variable)
+	--container-runuser/-R:	inside the container, use runuser instead of su for user switching (only when unshare_groups is enabled)
 	--dry-run/-d:		only print the container manager command generated
 	--verbose/-v:		show more verbosity
 	--version/-V:		show version
@@ -231,6 +241,10 @@ while :; do
 			shift
 			skip_workdir=1
 			;;
+		-R | --container-runuser)
+			shift
+			use_runuser=1
+			;;
 		-n | --name)
 			if [ -n "$2" ]; then
 				container_name="$2"
@@ -696,7 +710,7 @@ if [ "${container_custom_command}" -eq 0 ]; then
 fi
 
 # If we have a command and we're unsharing groups, we need to execute those
-# command using su $container_command_user
+# command using su $container_command_user (or runuser if --runuser is specified)
 # if we're in a tty, also allocate one
 if [ "${unshare_groups:-0}" -eq 1 ]; then
 	# shellcheck disable=SC2089,SC2016
@@ -707,7 +721,11 @@ if [ "${unshare_groups:-0}" -eq 1 ]; then
 	fi
 	set -- "-m" "$@"
 	set -- "${container_command_user}" "$@"
-	set -- "su" "$@"
+	if [ "${use_runuser}" -eq 1 ]; then
+		set -- "runuser" "$@"
+	else
+		set -- "su" "$@"
+	fi
 fi
 
 # Generate the exec command and run it
diff --git a/docs/usage/distrobox-enter.md b/docs/usage/distrobox-enter.md
@@ -25,6 +25,7 @@ If using it inside a script, an application, or a service, you can specify the
 	--root/-r:		launch podman/docker/lilipod with root privileges. Note that if you need root this is the preferred
 				way over "sudo distrobox" (note: if using a program other than 'sudo' for root privileges is necessary,
 				specify it through the DBX_SUDO_PROGRAM env variable, or 'distrobox_sudo_program' config variable)
+	--container-runuser/-R:	inside the container, use runuser instead of su for user switching (only when unshare_groups is enabled)
 	--dry-run/-d:		only print the container manager command generated
 	--verbose/-v:		show more verbosity
 	--version/-V:		show version
@@ -57,6 +58,7 @@ You can also use environment variables to specify container manager and containe
 
 	DBX_CONTAINER_NAME
 	DBX_CONTAINER_MANAGER
+	DBX_CONTAINER_RUNUSER
 	DBX_SKIP_WORKDIR
 	DBX_SUDO_PROGRAM
 
@@ -85,3 +87,12 @@ run podman/docker/lilipod as root, such as 'pkexec' or 'doas', you may specify i
 Additionally, in one of the config file paths that distrobox supports, such as `~/.distroboxrc`,
 you can also append the line `distrobox_sudo_program="doas"` (for example) to always run
 distrobox commands involving rootful containers using 'doas'.
+
+Similarly, to use runuser instead of su inside the container (when unshare_groups is enabled),
+you can specify it with `DBX_CONTAINER_RUNUSER` environment variable. For example:
+
+	DBX_CONTAINER_RUNUSER="true" distrobox enter -n container
+
+Additionally, in one of the config file paths that distrobox supports, such as `~/.distroboxrc`,
+you can also append the line `distrobox_container_runuser="true"` to always use runuser
+instead of su inside the container.
