forked from rancher-sandbox/rancher-desktop
-
Notifications
You must be signed in to change notification settings - Fork 0
Privilege Escalation
Mark Yen edited this page Mar 3, 2022
·
2 revisions
Rancher Desktop has various needs to run as a privileged user, typically platform-specific:
- (Installer) Install WSL
- (Installer) Update WSL kernel
- Writing to
C:\Windows\system32\drivers\etc\hosts - Custom networking?
- Install
vde_vmnettools - Run
vde_vmnettools (sudoers file) - Create
/private/var/run/rancher-desktop-lima -
/etc/paths.dmanagement - Create docker socket symlink
- Create docker socket symlink
- Custom networking
- Privilege escalation is only needed at install time
- For macOS / Linux AppImage, this may be an optional component installed separately.
- The application can still run without privilege escalation with a reduced
feature set.
- E.g. fall back to SLIRP-only networking on macOS.
- Only applicable on macOS / Linux
- Issues around conflicting sudoers configuration
- Not great for admin access
- macOS/Linux: setuid binary
- Need to hard-code things, but should be safe with adequate checking
- Windows: privileged service
- Requires Administrator access to install
- Also need it for uninstall
- Needs to grant privilege escalation every time RD updates (new binary)
-
Ignore Windows for now
-
Temporarily introduce a (hidden) setting to disable privileged access
-
Make lima.ts fall back when no privileged access
-
Use a setuid helper on macOS / Linux
-
Hack up lima to not use sudo
-
Remove setting, check setuid bit on helper instead
-
Must check version between setuid helper & main app, ignore it if versions mismatch (not just older)