// proc_starter starts a user process with the correct rlimits and after // closing any open FDs. func main() { runtime.LockOSThread() rlimits := flag.String("rlimits", "", "encoded rlimits") dropCapabilities := flag.Bool("dropCapabilities", true, "drop capabilities before starting process") uid := flag.Int("uid", -1, "user id to run the process as") gid := flag.Int("gid", -1, "group id to run the process as") extendedWhitelist := flag.Bool("extendedWhitelist", false, "whitelist CAP_SYS_ADMIN in addition to the default set. Use only with -dropCapabilities=true") flag.Parse() closeFds() mgr := &container_daemon.RlimitsManager{} must(mgr.Apply(mgr.DecodeLimits(*rlimits))) args := flag.Args() if *dropCapabilities { caps := &system.ProcessCapabilities{Pid: os.Getpid()} must(caps.Limit(*extendedWhitelist)) } execer := system.UserExecer{} if err := execer.ExecAsUser(*uid, *gid, args[0], args[1:]...); err != nil { fmt.Fprintf(os.Stderr, "proc_starter: ExecAsUser: %s\n", err) os.Exit(255) } }
func main() { uid := flag.Int("uid", -1, "uid") gid := flag.Int("gid", -1, "gid") workDir := flag.String("workDir", "", "working directory") flag.Parse() execer := system.UserExecer{} if err := execer.ExecAsUser(*uid, *gid, *workDir, "bash", "-c", "id -u && id -G"); err != nil { fmt.Fprintf(os.Stderr, "%s", err) os.Exit(2) } }