diff --git a/blubber.example.yaml b/blubber.example.yaml --- a/blubber.example.yaml +++ b/blubber.example.yaml @@ -28,6 +28,8 @@ packages: [chromium] python: requirements: [requirements.txt, test-requirements.txt, docs/requirements.txt] + runs: + insecurely: true entrypoint: [npm, test] prep: diff --git a/config/runs.go b/config/runs.go --- a/config/runs.go +++ b/config/runs.go @@ -9,6 +9,7 @@ // type RunsConfig struct { UserConfig `yaml:",inline"` + Insecurely Flag `yaml:"insecurely"` // runs user owns application files Environment map[string]string `yaml:"environment" validate:"envvars"` // environment variables } @@ -18,6 +19,7 @@ // func (run *RunsConfig) Merge(run2 RunsConfig) { run.UserConfig.Merge(run2.UserConfig) + run.Insecurely.Merge(run2.Insecurely) if run.Environment == nil { run.Environment = make(map[string]string) diff --git a/config/runs_test.go b/config/runs_test.go --- a/config/runs_test.go +++ b/config/runs_test.go @@ -14,6 +14,7 @@ base: foo runs: as: someuser + insecurely: true uid: 666 gid: 777 environment: { FOO: bar } @@ -27,6 +28,7 @@ assert.Nil(t, err) assert.Equal(t, "someuser", variant.Runs.As) + assert.Equal(t, true, variant.Runs.Insecurely.True) assert.Equal(t, uint(666), variant.Runs.UID) assert.Equal(t, uint(777), variant.Runs.GID) assert.Equal(t, map[string]string{"FOO": "bar"}, variant.Runs.Environment) diff --git a/config/variant.go b/config/variant.go --- a/config/variant.go +++ b/config/variant.go @@ -61,8 +61,12 @@ } case build.PhasePostInstall: - switchUser = vc.Runs.As - uid, gid = vc.Runs.UID, vc.Runs.GID + if vc.Runs.Insecurely.True { + uid, gid = vc.Lives.UID, vc.Lives.GID + } else { + switchUser = vc.Runs.As + uid, gid = vc.Runs.UID, vc.Runs.GID + } if len(vc.EntryPoint) > 0 { instructions = append(instructions, build.EntryPoint{vc.EntryPoint}) diff --git a/config/variant_test.go b/config/variant_test.go --- a/config/variant_test.go +++ b/config/variant_test.go @@ -154,6 +154,60 @@ cfg.InstructionsForPhase(build.PhasePostInstall), ) }) + + t.Run("without Runs.Insecurely", func(t *testing.T) { + cfg := config.VariantConfig{ + CommonConfig: config.CommonConfig{ + Lives: config.LivesConfig{ + UserConfig: config.UserConfig{ + As: "foouser", + }, + }, + Runs: config.RunsConfig{ + Insecurely: config.Flag{True: false}, + UserConfig: config.UserConfig{ + As: "baruser", + }, + }, + EntryPoint: []string{"/foo", "bar"}, + }, + } + + assert.Equal(t, + []build.Instruction{ + build.User{"baruser"}, + build.Env{map[string]string{"HOME": "/home/baruser"}}, + build.EntryPoint{[]string{"/foo", "bar"}}, + }, + cfg.InstructionsForPhase(build.PhasePostInstall), + ) + }) + + t.Run("with Runs.Insecurely", func(t *testing.T) { + cfg := config.VariantConfig{ + CommonConfig: config.CommonConfig{ + Lives: config.LivesConfig{ + UserConfig: config.UserConfig{ + As: "foouser", + }, + }, + Runs: config.RunsConfig{ + Insecurely: config.Flag{True: true}, + UserConfig: config.UserConfig{ + As: "baruser", + }, + }, + EntryPoint: []string{"/foo", "bar"}, + }, + } + + assert.Equal(t, + []build.Instruction{ + build.EntryPoint{[]string{"/foo", "bar"}}, + }, + cfg.InstructionsForPhase(build.PhasePostInstall), + ) + }) }) }