Skip to content

run_code as a user instead of root #94

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 17 commits into
base: main
Choose a base branch
from
Open

run_code as a user instead of root #94

wants to merge 17 commits into from

Conversation

mishushakov
Copy link
Member

@mishushakov mishushakov commented Apr 28, 2025
edited
Loading

  • Jupyter Server and Code Interpreter are started as a non-privileged user
  • Adds ability to change user by creating a new context
  • BREAKING: Default user root > user to match the Sandbox commands.run behavior
  • POSSIBLY BREAKING: when cwd is not set and user is root, it will set cwd to /root

Sample code

const ctx = await sbx.createCodeContext({ language: "python", user: "user" })

const code = await sbx.runCode(`import getpass; print(getpass.getuser())`, { context })
console.log(code.logs);
{
    stdout: [ "user\n" ],
    stderr: [],
}

@linear Linear
Copy link

linear bot commented Apr 28, 2025

E2B-2123 Permissions: calling `run_code` as a different user

@mishushakov mishushakov self-assigned this Apr 28, 2025
@mishushakov mishushakov added the improvement Improvement for current functionality label Apr 28, 2025
@mishushakov mishushakov marked this pull request as ready for review April 28, 2025 12:09
@jakubno Linear
Copy link
Member

jakubno commented Apr 28, 2025
edited
Loading

This won't be probably backwards compatible right?

Can I specify if I want run something as root?

@mishushakov

This comment was marked as outdated.

Sign in to view
jakubno
jakubno requested changes Apr 28, 2025
View reviewed changes
Copy link
Member

@jakubno jakubno left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we just need to be able to pass user. Otherwise, someone might need to run something as root, leading to the same issue.

@mishushakov mishushakov marked this pull request as draft April 30, 2025 16:12
@mishushakov mishushakov requested a review from jakubno May 2, 2025 09:25
@mishushakov mishushakov added feature New feature or request and removed improvement Improvement for current functionality labels May 14, 2025
@mishushakov mishushakov marked this pull request as ready for review May 14, 2025 14:14
jakubno
jakubno requested changes May 14, 2025
View reviewed changes
template/test.Dockerfile
Comment on lines +79 to +83

# Change ownership of all files to user
RUN chown -R user:user $HOME

USER user
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why are you doing it as last thing? If you would set the user as a first thing you probably don't need change the ownership

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the problem here is: "user" does not exist in python image
and we cannot add user before we have "sudo" dependency installed

so this is why it's the last

@mishushakov
Copy link
Member Author

I created a new template, code-interpreter-v1beta1

mishushakov
mishushakov commented May 15, 2025
View reviewed changes
template/e2b.toml
dockerfile = "e2b.Dockerfile"
template_name = "code-interpreter-v1"
template_id = "nlhz8vlwyupq845jsdg9"
start_cmd = "sudo -u user /home/user/.jupyter/start-up.sh"
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

one thing: this is a breaking change, should I put a script in /root/.jupyter/start-up.sh that just calls the actual start-up.sh with sudo -u user?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jakubno jakubno jakubno requested changes

@ValentaTomas ValentaTomas Awaiting requested review from ValentaTomas ValentaTomas is a code owner

@0div 0div Awaiting requested review from 0div 0div is a code owner

Requested changes must be addressed to merge this pull request.

Assignees

@mishushakov mishushakov

Labels
feature New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mishushakov @jakubno