From d04b30687ff400a2e2b991e87b236aad3b08addb Mon Sep 17 00:00:00 2001 From: indifferentketchup Date: Tue, 19 May 2026 13:07:59 +0000 Subject: [PATCH] v1.10.1: booterm runs shells as samkintop with login bash --- apps/booterm/Dockerfile | 8 +++++++- apps/booterm/tmux.conf | 7 +++++++ docker-compose.yml | 1 + 3 files changed, 15 insertions(+), 1 deletion(-) diff --git a/apps/booterm/Dockerfile b/apps/booterm/Dockerfile index 3920b27..a82f928 100644 --- a/apps/booterm/Dockerfile +++ b/apps/booterm/Dockerfile @@ -30,7 +30,13 @@ RUN test -f node_modules/node-pty/build/Release/pty.node && echo "pty.node OK" | # ---- Runtime ---- FROM node:20-alpine AS runtime -RUN apk add --no-cache tmux libstdc++ +RUN apk add --no-cache tmux libstdc++ bash su-exec shadow +# v1.10.1: terminal shells inside tmux drop privs to samkintop via su-exec. +# Mirror uid/gid 1000:1000 from the host so the bind-mounted /home/samkintop +# (added in docker-compose) is owned by the user from the container's view. +RUN deluser --remove-home node 2>/dev/null; delgroup node 2>/dev/null; \ + addgroup -g 1000 samkintop && \ + adduser -D -u 1000 -G samkintop -s /bin/bash samkintop WORKDIR /app COPY --from=builder /build/apps/booterm/dist ./dist COPY --from=proddeps /prod/package.json ./package.json diff --git a/apps/booterm/tmux.conf b/apps/booterm/tmux.conf index fdcfe9f..bf8cfd6 100644 --- a/apps/booterm/tmux.conf +++ b/apps/booterm/tmux.conf @@ -4,3 +4,10 @@ set -g mouse on setw -g mode-keys vi set -g status off set -g destroy-unattached off + +# v1.10.1: shells drop privs to samkintop (uid 1000) so the terminal runs in +# the user's environment, not root. `env HOME=… USER=…` is required because +# su-exec only changes uid/gid — it leaves env intact, and tmux server runs +# as root so HOME would otherwise be /root. bash -l then sources samkintop's +# ~/.profile / ~/.bashrc to pick up PATH (nvm, ~/.local/bin, ~/.opencode/bin). +set -g default-command "su-exec samkintop:samkintop env HOME=/home/samkintop USER=samkintop SHELL=/bin/bash bash -l" diff --git a/docker-compose.yml b/docker-compose.yml index 9b4acd6..a5253f6 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -34,6 +34,7 @@ services: DATABASE_URL: postgres://boocode:${POSTGRES_PASSWORD}@boocode_db:5432/boocode volumes: - /opt:/opt:rw + - /home/samkintop:/home/samkintop:rw depends_on: - boocode_db networks: