unpriv

Author: f0ssel

cli/cli.go

@@ -24,14 +24,15 @@ import (
 type Config struct {
 	AllowStrings []string
 	LogLevel     string
+	Unprivileged bool
 }
 
 // NewCommand creates and returns the root serpent command
 func NewCommand() *serpent.Command {
 	// To make the top level jail command, we just make some minor changes to the base command
 	cmd := BaseCommand()
 	cmd.Use = "jail [flags] -- command [args...]" // Add the flags and args pieces to usage.
-	
+
 	// Add example usage to the long description. This is different from usage as a subcommand because it
 	// may be called something different when used as a subcommand / there will be a leading binary (i.e. `coder jail` vs. `jail`).
 	cmd.Long += `Examples:
@@ -43,7 +44,7 @@ func NewCommand() *serpent.Command {
 
   # Block everything by default (implicit)`
 
-  return cmd
+	return cmd
 }
 
 // Base command returns the jail serpent command without the information involved in making it the
@@ -74,6 +75,13 @@ user-defined rules.`,
 				Default:     "warn",
 				Value:       serpent.StringOf(&config.LogLevel),
 			},
+			{
+				Name:        "unprivileged",
+				Flag:        "unprivileged",
+				Env:         "JAIL_UNPRIVILEGED",
+				Description: "Use unprivileged mode (proxy environment variables, no sudo required, Linux only).",
+				Value:       serpent.BoolOf(&config.Unprivileged),
+			},
 		},
 		Handler: func(inv *serpent.Invocation) error {
 			return Run(inv.Context(), config, inv.Args)
@@ -112,7 +120,7 @@ func Run(ctx context.Context, config Config, args []string) error {
 	auditor := audit.NewLoggingAuditor(logger)
 
 	// Create certificate manager
-	certManager, err := tls.NewCertificateManager(tls.Config{
+	certManager, err := tls.NewCertificateManager(tls.Options{
 		Logger:    logger,
 		ConfigDir: userInfo.ConfigDir,
 	})
@@ -171,30 +179,29 @@ func Run(ctx context.Context, config Config, args []string) error {
 	return nil
 }
 
+// getUserInfo returns information about the current user, handling sudo scenarios
 func getUserInfo() namespace.UserInfo {
-	// get the user info of the original user even if we are running under sudo
-	sudoUser := os.Getenv("SUDO_USER")
-
-	// If running under sudo, get original user information
-	if sudoUser != "" {
+	// Only consider SUDO_USER if we're actually running with elevated privileges
+	// In environments like Coder workspaces, SUDO_USER may be set to 'root'
+	// but we're not actually running under sudo
+	if sudoUser := os.Getenv("SUDO_USER"); sudoUser != "" && os.Geteuid() == 0 && sudoUser != "root" {
+		// We're actually running under sudo with a non-root original user
 		user, err := user.Lookup(sudoUser)
 		if err != nil {
-			// Fallback to current user if lookup fails
-			return getCurrentUserInfo()
+			return getCurrentUserInfo() // Fallback to current user
 		}
 
-		// Parse SUDO_UID and SUDO_GID
-		uid := 0
-		gid := 0
+		uid, _ := strconv.Atoi(os.Getenv("SUDO_UID"))
+		gid, _ := strconv.Atoi(os.Getenv("SUDO_GID"))
 
-		if sudoUID := os.Getenv("SUDO_UID"); sudoUID != "" {
-			if parsedUID, err := strconv.Atoi(sudoUID); err == nil {
+		// If we couldn't get UID/GID from env, parse from user info
+		if uid == 0 {
+			if parsedUID, err := strconv.Atoi(user.Uid); err == nil {
 				uid = parsedUID
 			}
 		}
-
-		if sudoGID := os.Getenv("SUDO_GID"); sudoGID != "" {
-			if parsedGID, err := strconv.Atoi(sudoGID); err == nil {
+		if gid == 0 {
+			if parsedGID, err := strconv.Atoi(user.Gid); err == nil {
 				gid = parsedGID
 			}
 		}
@@ -210,7 +217,7 @@ func getUserInfo() namespace.UserInfo {
 		}
 	}
 
-	// Not running under sudo, use current user
+	// Not actually running under sudo, use current user
 	return getCurrentUserInfo()
 }
 

jail.go

@@ -16,10 +16,11 @@ import (
 )
 
 type Config struct {
-	RuleEngine  rules.Evaluator
-	Auditor     audit.Auditor
-	CertManager tls.Manager
-	Logger      *slog.Logger
+	RuleEngine   rules.Evaluator
+	Auditor      audit.Auditor
+	CertManager  tls.Manager
+	Logger       *slog.Logger
+	Unprivileged bool
 }
 
 type Jail struct {
@@ -52,17 +53,9 @@ func New(ctx context.Context, config Config) (*Jail, error) {
 		Logger:         config.Logger,
 		HttpProxyPort:  8080,
 		HttpsProxyPort: 8443,
-		Env: map[string]string{
-			// Set standard CA certificate environment variables for common tools
-			// This makes tools like curl, git, etc. trust our dynamically generated CA
-			"SSL_CERT_FILE":       caCertPath, // OpenSSL/LibreSSL-based tools
-			"SSL_CERT_DIR":        configDir,  // OpenSSL certificate directory
-			"CURL_CA_BUNDLE":      caCertPath, // curl
-			"GIT_SSL_CAINFO":      caCertPath, // Git
-			"REQUESTS_CA_BUNDLE":  caCertPath, // Python requests
-			"NODE_EXTRA_CA_CERTS": caCertPath, // Node.js
-		},
-	})
+		TlsConfigDir:   configDir,
+		CACertPath:     caCertPath,
+	}, config.Unprivileged)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create commander: %v", err)
 	}
@@ -118,7 +111,11 @@ func (j *Jail) Close() error {
 }
 
 // newNamespaceCommander creates a new namespace instance for the current platform
-func newNamespaceCommander(config namespace.Config) (namespace.Commander, error) {
+func newNamespaceCommander(config namespace.Config, unprivledged bool) (namespace.Commander, error) {
+	if unprivledged {
+		return namespace.NewUnprivileged(config)
+	}
+
 	switch runtime.GOOS {
 	case "darwin":
 		return namespace.NewMacOS(config)

namespace/linux.go

@@ -7,7 +7,6 @@ import (
 	"log/slog"
 	"os"
 	"os/exec"
-	"strings"
 	"syscall"
 	"time"
 )
@@ -17,28 +16,20 @@ type Linux struct {
 	namespace      string
 	vethHost       string // Host-side veth interface name for iptables rules
 	logger         *slog.Logger
-	preparedEnv    map[string]string
 	procAttr       *syscall.SysProcAttr
+	commandEnv     []string
 	httpProxyPort  int
 	httpsProxyPort int
-	user           string
-	homeDir        string
-	uid            int
-	gid            int
+	tlsConfigDir   string
+	caCertPath     string
+	userInfo       UserInfo
 }
 
 // NewLinux creates a new Linux network jail instance
 func NewLinux(config Config) (*Linux, error) {
-	// Initialize preparedEnv with config environment variables
-	preparedEnv := make(map[string]string)
-	for key, value := range config.Env {
-		preparedEnv[key] = value
-	}
-
 	return &Linux{
 		namespace:      newNamespaceName(),
 		logger:         config.Logger,
-		preparedEnv:    preparedEnv,
 		httpProxyPort:  config.HttpProxyPort,
 		httpsProxyPort: config.HttpsProxyPort,
 	}, nil
@@ -75,28 +66,17 @@ func (l *Linux) Start() error {
 
 	// Prepare environment once during setup
 	l.logger.Debug("Preparing environment")
-
-	// Start with current environment
-	for _, envVar := range os.Environ() {
-		if parts := strings.SplitN(envVar, "=", 2); len(parts) == 2 {
-			// Only set if not already set by config
-			if _, exists := l.preparedEnv[parts[0]]; !exists {
-				l.preparedEnv[parts[0]] = parts[1]
-			}
-		}
-	}
-
-	// Set HOME to original user's home directory
-	l.preparedEnv["HOME"] = l.homeDir
-	// Set USER to original username
-	l.preparedEnv["USER"] = l.user
-	// Set LOGNAME to original username (some tools check this instead of USER)
-	l.preparedEnv["LOGNAME"] = l.user
+	e := getEnvs(l.tlsConfigDir, l.caCertPath)
+	l.commandEnv = mergeEnvs(e, map[string]string{
+		"HOME":    l.userInfo.HomeDir,
+		"USER":    l.userInfo.Username,
+		"LOGNAME": l.userInfo.Username,
+	})
 
 	l.procAttr = &syscall.SysProcAttr{
 		Credential: &syscall.Credential{
-			Uid: uint32(l.uid),
-			Gid: uint32(l.gid),
+			Uid: uint32(l.userInfo.Uid),
+			Gid: uint32(l.userInfo.Gid),
 		},
 	}
 
@@ -116,12 +96,7 @@ func (l *Linux) Command(command []string) *exec.Cmd {
 
 	cmd := exec.Command("ip", cmdArgs[1:]...)
 
-	// Use prepared environment from Open method
-	env := make([]string, 0, len(l.preparedEnv))
-	for key, value := range l.preparedEnv {
-		env = append(env, fmt.Sprintf("%s=%s", key, value))
-	}
-	cmd.Env = env
+	cmd.Env = l.commandEnv
 	cmd.Stdin = os.Stdin
 	cmd.Stdout = os.Stdout
 	cmd.Stderr = os.Stderr
@@ -280,4 +255,4 @@ func (l *Linux) removeNamespace() error {
 		return fmt.Errorf("failed to remove namespace: %v", err)
 	}
 	return nil
-}
+}

namespace/macos.go

@@ -23,10 +23,12 @@ type MacOSNetJail struct {
 	pfRulesPath    string
 	mainRulesPath  string
 	logger         *slog.Logger
-	preparedEnv    map[string]string
+	commandEnv     []string
 	procAttr       *syscall.SysProcAttr
 	httpProxyPort  int
 	httpsProxyPort int
+	tlsConfigDir   string
+	caCertPath     string
 	userInfo       UserInfo
 }
 
@@ -36,17 +38,10 @@ func NewMacOS(config Config) (*MacOSNetJail, error) {
 	pfRulesPath := fmt.Sprintf("/tmp/%s.pf", ns)
 	mainRulesPath := fmt.Sprintf("/tmp/%s_main.pf", ns)
 
-	// Initialize preparedEnv with config environment variables
-	preparedEnv := make(map[string]string)
-	for key, value := range config.Env {
-		preparedEnv[key] = value
-	}
-
 	return &MacOSNetJail{
 		pfRulesPath:    pfRulesPath,
 		mainRulesPath:  mainRulesPath,
 		logger:         config.Logger,
-		preparedEnv:    preparedEnv,
 		httpProxyPort:  config.HttpProxyPort,
 		httpsProxyPort: config.HttpsProxyPort,
 		userInfo:       config.UserInfo,
@@ -74,22 +69,12 @@ func (m *MacOSNetJail) Start() error {
 	// Prepare environment once during setup
 	m.logger.Debug("Preparing environment")
 
-	// Start with current environment
-	for _, envVar := range os.Environ() {
-		if parts := strings.SplitN(envVar, "=", 2); len(parts) == 2 {
-			// Only set if not already set by config
-			if _, exists := m.preparedEnv[parts[0]]; !exists {
-				m.preparedEnv[parts[0]] = parts[1]
-			}
-		}
-	}
-
-	// Set HOME to original user's home directory
-	m.preparedEnv["HOME"] = m.userInfo.HomeDir
-	// Set USER to original username
-	m.preparedEnv["USER"] = m.userInfo.Username
-	// Set LOGNAME to original username (some tools check this instead of USER)
-	m.preparedEnv["LOGNAME"] = m.userInfo.Username
+	e := getEnvs(m.tlsConfigDir, m.caCertPath)
+	m.commandEnv = mergeEnvs(e, map[string]string{
+		"HOME":    m.userInfo.HomeDir,
+		"USER":    m.userInfo.Username,
+		"LOGNAME": m.userInfo.Username,
+	})
 
 	// Prepare process credentials once during setup
 	m.logger.Debug("Preparing process credentials")
@@ -117,12 +102,7 @@ func (m *MacOSNetJail) Command(command []string) *exec.Cmd {
 	cmd := exec.Command(command[0], command[1:]...)
 	m.logger.Debug("Full command args", "args", command)
 
-	// Use prepared environment from Open method
-	env := make([]string, 0, len(m.preparedEnv))
-	for key, value := range m.preparedEnv {
-		env = append(env, fmt.Sprintf("%s=%s", key, value))
-	}
-	cmd.Env = env
+	cmd.Env = m.commandEnv
 	cmd.Stdout = os.Stdout
 	cmd.Stderr = os.Stderr
 	cmd.Stdin = os.Stdin

namespace/name.go

@@ -2,6 +2,8 @@ package namespace
 
 import (
 	"fmt"
+	"os"
+	"strings"
 	"time"
 )
 
@@ -12,3 +14,41 @@ const (
 func newNamespaceName() string {
 	return fmt.Sprintf("%s_%d", prefix, time.Now().UnixNano()%10000000)
 }
+
+func getEnvs(configDir string, caCertPath string) []string {
+	e := os.Environ()
+
+	mergeEnvs(e, map[string]string{
+		// Set standard CA certificate environment variables for common tools
+		// This makes tools like curl, git, etc. trust our dynamically generated CA
+		"SSL_CERT_FILE":       caCertPath, // OpenSSL/LibreSSL-based tools
+		"SSL_CERT_DIR":        configDir,  // OpenSSL certificate directory
+		"CURL_CA_BUNDLE":      caCertPath, // curl
+		"GIT_SSL_CAINFO":      caCertPath, // Git
+		"REQUESTS_CA_BUNDLE":  caCertPath, // Python requests
+		"NODE_EXTRA_CA_CERTS": caCertPath, // Node.js
+	})
+
+	return e
+}
+
+func mergeEnvs(base []string, extra map[string]string) []string {
+	envMap := make(map[string]string)
+	for _, env := range base {
+		parts := strings.SplitN(env, "=", 2)
+		if len(parts) == 2 {
+			envMap[parts[0]] = parts[1]
+		}
+	}
+
+	for key, value := range extra {
+		envMap[key] = value
+	}
+
+	merged := make([]string, 0, len(envMap))
+	for key, value := range envMap {
+		merged = append(merged, key+"="+value)
+	}
+
+	return merged
+}

namespace/namespace.go

@@ -15,7 +15,8 @@ type Config struct {
 	Logger         *slog.Logger
 	HttpProxyPort  int
 	HttpsProxyPort int
-	Env            map[string]string
+	TlsConfigDir   string
+	CACertPath     string
 	UserInfo       UserInfo
 }