Default User without sudo access
Hey all,
so we want to limit the Devs abilities within the workspace so they don't have sudo access except for certain tools they should be able to control.
I'm using the docker template and
enterprise-base:ubuntu as base for my dockerfile.
I tried manipulating the user via sudoers file(s) to no avail. So I'm not sure about where to go next. Thanks!16 Replies
You can extend your image with a new user that does not have sudo rights. Also uninstall sudo package altogether.
just uninstall sudo if you wanna keep that image
That... Sounds surprisingly simple, haven't thought of that. I'll give it a shot in the morning.
i mean, doesn't matter if they're in the sudo group if there's no sudo
That's true. although, I think I could've made it clearer that there are certain tools they need to be able to control which require root/sudo access.
I tried setting up a new user and switching to that user at the end of the dockerfile, but that only lead to not being able to connect to code-server and getting a non-interactive shell. I'm sure there's something obvious I'm missing here, but I don't know what ^^
uuuh
then it gets tricky
I mean, why do you want them to not be able to use root in the first place ?
you could write a custom sudoers file that only allows specific commands, I think that's your best bet
That's what I got now, but the
coderuser kept ignoring it somehow. Just changed a few bit and testing again.
Basically we want to keep the workspace as close to the production environment, which is set that way. Does that make sense even? I'm not quite sure as this is literally the first time I deal with dev workspaces.letting the user have root access doesn't really imply a security risk
well, the root user of your container is also the root user of your host (still, this only matters if there was a dockerd flaw that allowed you to escape the workspace) but you can use docker user mapping to avoid that
alright makes sense. So basically they're able to ruin their workspace, but that's about it.
pretty much
Thanks, that clears things up a bit further 🙂 Guess the same is true about ufw, since it'll only allow whatever the host lets in, right?
i would say yes but you'd have to check to be sure
will do, thanks again.
btw, feel free to close the thread by doing
/resolveOh sorry, sure.
Marked the thread as resolved.