[RFC v3 5/6] kas-container: block usage of sudo in isar-rootless mode
5 views
Skip to first unread message
Felix Moessbauer
Feb 26, 2026, 11:02:25 AMFeb 26
to kas-...@googlegroups.com, jan.k...@siemens.com, christi...@siemens.com, Felix Moessbauer
After switching to the builder user, we prohibit using sudo. This helps
downstream layers to find locations where sudo is incorrectly used, as
well as it prevents accidential breakout on system docker.
Signed-off-by: Felix Moessbauer <felix.mo...@siemens.com>
---
container-entrypoint | 11 +++++++++++
kas-container | 1 +
2 files changed, 12 insertions(+)
diff --git a/container-entrypoint b/container-entrypoint
index da0c36d3a..9d23b6248 100755
--- a/container-entrypoint
+++ b/container-entrypoint
@@ -168,6 +168,17 @@ if [ "$PWD" = / ]; then
cd /builder || exit 1
fi
+if [ "$KAS_BLOCK_SUDO" = "1" ]; then
+ mkdir -p /usr/local/libexec
+ cat <<'EOF' > /usr/local/libexec/kas-no-sudo
+#!/bin/sh
+printf "KAS_BLOCK_SUDO=1: sudo is prohibited\n" >&2
+exit 1
+EOF
+ chmod +x /usr/local/libexec/kas-no-sudo
+ ln -sf /usr/local/libexec/kas-no-sudo /usr/bin/sudo
+fi
+
if [ -n "$1" ]; then
case "$1" in
build|checkout|clean*|diff|dump|for-all-repos|lock|menu|purge|shell|-*)
diff --git a/kas-container b/kas-container
index 38f4992cc..25ef1fd15 100755
--- a/kas-container
+++ b/kas-container
@@ -177,6 +177,7 @@ enable_isar_rootless_mode()
fi
ISAR_ROOTLESS_MODE=1
KAS_CONTAINER_IMAGE_NAME_DEFAULT="kas-isar"
+ KAS_RUNTIME_ARGS="${KAS_RUNTIME_ARGS} -e KAS_BLOCK_SUDO=1"
# Use --privileged to pass the ambient capabilities into the container.
# When calling from the user session (podman or docker-rootless), this
--
2.51.0
downstream layers to find locations where sudo is incorrectly used, as
well as it prevents accidential breakout on system docker.
Signed-off-by: Felix Moessbauer <felix.mo...@siemens.com>
---
container-entrypoint | 11 +++++++++++
kas-container | 1 +
2 files changed, 12 insertions(+)
diff --git a/container-entrypoint b/container-entrypoint
index da0c36d3a..9d23b6248 100755
--- a/container-entrypoint
+++ b/container-entrypoint
@@ -168,6 +168,17 @@ if [ "$PWD" = / ]; then
cd /builder || exit 1
fi
+if [ "$KAS_BLOCK_SUDO" = "1" ]; then
+ mkdir -p /usr/local/libexec
+ cat <<'EOF' > /usr/local/libexec/kas-no-sudo
+#!/bin/sh
+printf "KAS_BLOCK_SUDO=1: sudo is prohibited\n" >&2
+exit 1
+EOF
+ chmod +x /usr/local/libexec/kas-no-sudo
+ ln -sf /usr/local/libexec/kas-no-sudo /usr/bin/sudo
+fi
+
if [ -n "$1" ]; then
case "$1" in
build|checkout|clean*|diff|dump|for-all-repos|lock|menu|purge|shell|-*)
diff --git a/kas-container b/kas-container
index 38f4992cc..25ef1fd15 100755
--- a/kas-container
+++ b/kas-container
@@ -177,6 +177,7 @@ enable_isar_rootless_mode()
fi
ISAR_ROOTLESS_MODE=1
KAS_CONTAINER_IMAGE_NAME_DEFAULT="kas-isar"
+ KAS_RUNTIME_ARGS="${KAS_RUNTIME_ARGS} -e KAS_BLOCK_SUDO=1"
# Use --privileged to pass the ambient capabilities into the container.
# When calling from the user session (podman or docker-rootless), this
--
2.51.0
Jan Kiszka
May 29, 2026, 4:42:16 AM (yesterday) May 29
to Felix Moessbauer, kas-...@googlegroups.com, christi...@siemens.com
permanently that checks KAS_BLOCK_SUDO and either calls sudo or rejects
this?
Jan
> +fi
> +
> if [ -n "$1" ]; then
> case "$1" in
> build|checkout|clean*|diff|dump|for-all-repos|lock|menu|purge|shell|-*)
> diff --git a/kas-container b/kas-container
> index 38f4992cc..25ef1fd15 100755
> --- a/kas-container
> +++ b/kas-container
> @@ -177,6 +177,7 @@ enable_isar_rootless_mode()
> fi
> ISAR_ROOTLESS_MODE=1
> KAS_CONTAINER_IMAGE_NAME_DEFAULT="kas-isar"
> + KAS_RUNTIME_ARGS="${KAS_RUNTIME_ARGS} -e KAS_BLOCK_SUDO=1"
>
> # Use --privileged to pass the ambient capabilities into the container.
> # When calling from the user session (podman or docker-rootless), this
--
Linux Expert Center
MOESSBAUER, Felix
May 29, 2026, 5:10:33 AM (yesterday) May 29
to Kiszka, Jan, kas-...@googlegroups.com, Storm, Christian
This is technically challenging. We would have to replace the
/usr/bin/sudo binary with the wrapper, as the PATH only contains
/usr/bin in some execution contexts. Moving setuid binaries around is a
risk at its own.
Further, we really want to enforce this hardening by making it
impossible to call sudo.
Felix
Jan Kiszka
May 29, 2026, 5:13:10 AM (yesterday) May 29
to Moessbauer, Felix (FT RPD CED OES-DE), kas-...@googlegroups.com, Storm, Christian (FT RPD CED)
way to go from builder user to root inside the unprivileged container
anymore?
Jan
MOESSBAUER, Felix
May 29, 2026, 7:16:30 AM (yesterday) May 29
to Kiszka, Jan, kas-...@googlegroups.com, Storm, Christian
Actually I would prefer to not even have sudo installed, but as we use
the same container for privileged and non-privileged execution, this is
the workaround (and it also helps to issue a meaningful error message
on accidental sudo invocation).
AFAIK, there is no way to switch users, given that switching via su is
not possible as we don't set a password for root.
So yes, it's a security feature.
Felix
Jan Kiszka
2:38 AM (14 hours ago) 2:38 AM
to Moessbauer, Felix (FT RPD CED OES-DE), kas-...@googlegroups.com, Storm, Christian (FT RPD CED)
a rootless container?
Reply all
Reply to author
Forward
0 new messages