github release for a simple binary

[ringerc]

Hi folks

It'd be very useful if a prebuilt binary for su-exec could be published on the github releases page here.

People who choose trust the repo can reasonably trust a binary uploaded to the repo's releases page too. Unless they link to a specific git commithash when they fetch su-exec.c and the makefile, and unless they review the whole thing whenever they change which git revision they build, they're trusting the repo anyway.

The vast majority of uses would be satisfied by an amd64 binary built for glibc 2.12 - for CentOS / RHEL 6.

[ringerc]

Here's the Dockerfile and associated wrapper script I use to generate it conveniently right now

# builder/Dockerfile
FROM centos:6.10
RUN yum -y install gcc glibc-devel make git
RUN useradd -ms /bin/bash builder
USER builder
WORKDIR /home/builder
RUN git clone -b master https://github.com/ncopa/su-exec.git $HOME/su-exec
CMD cd $HOME/su-exec && git fetch && git reset --hard origin/master && make

#!/bin/bash
set -e -u
trap "docker rmi su-exec-builder || true" EXIT
docker build -t su-exec-builder builder
trap "docker rm -f su-exec-builder-$$ || true; docker rmi su-exec-builder || true" EXIT
docker run --name su-exec-builder-$$ su-exec-builder
docker cp su-exec-builder-$$:/home/builder/su-exec/su-exec .
docker rm su-exec-builder-$$
trap EXIT
docker rmi su-exec-builder

This produces a su-exec binary in the directory the script is run in.

[ringerc]

BTW the main reason is that I don't want a toolchain in most of my containers.

[ncopa]

I suppose a pre-compiled static binary may make sense.

[ringerc]

There's little reason to make it static. glibc's ABI is versioned and quite sensible, and su-exec doesn't rely on anything else.

$ ldd ../su-exec/su-exec 
	linux-vdso.so.1 (0x00007ffd2cf2c000)
	libc.so.6 => /lib64/libc.so.6 (0x00007f4627449000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f4627808000)

If built on something suitable like Centos 6 it'll run fine on anything up from there. glibc defaults to using symbol versioning which makes it safer too:

$ nm su-exec  |grep -i GLIBC
                 U err@@GLIBC_2.2.5
                 U execvp@@GLIBC_2.2.5
                 U exit@@GLIBC_2.2.5
                 U getgid@@GLIBC_2.2.5
                 U getgrgid@@GLIBC_2.2.5
                 U getgrnam@@GLIBC_2.2.5
                 U getgrouplist@@GLIBC_2.2.5
                 U getpwnam@@GLIBC_2.2.5
                 U getpwuid@@GLIBC_2.2.5
                 U getuid@@GLIBC_2.2.5
                 U __libc_start_main@@GLIBC_2.2.5
                 U printf@@GLIBC_2.2.5
                 U realloc@@GLIBC_2.2.5
                 U setenv@@GLIBC_2.2.5
                 U setgid@@GLIBC_2.2.5
                 U setgroups@@GLIBC_2.2.5
                 U setuid@@GLIBC_2.2.5
                 U strchr@@GLIBC_2.2.5
                 U strtol@@GLIBC_2.2.5

[NobodyXu]

Here is the fork which provided binary release:

# For dynamic-linked glibc, 14.3kb
wget https://github.com/NobodyXu/su-exec/releases/download/v0.3/su-exec

# For dynamic-linked musl-libc, 13.9kb
wget https://github.com/NobodyXu/su-exec/releases/download/v0.3/su-exec-musl

# For static-linked musl-libc, 45.6kb
wget https://github.com/NobodyXu/su-exec/releases/download/v0.3/su-exec-static-musl

static-linked glibc release isn't provided because it is buggy:

$ sudo ./su-exec-static '' id
uid=0(root) gid=0(root) groups=0(root)

$ sudo ./su-exec-static ':' id
uid=0(root) gid=0(root) groups=0(root)

$ sudo ./su-exec-static 'root' id
Segmentation fault

$ sudo ./su-exec-static 'root:' id
Segmentation fault

$ sudo ./su-exec-static '0:' id
Segmentation fault

$ sudo ./su-exec-static 'root:0' id
uid=0(root) gid=0(root) groups=0(root)

all of these works for dynamic-linked su-exec, dynamic-linked musl-libc version and static-linked musl-libc version.