Refactor XFCE container startup for POSIX compliance, secure env forw…#4
Open
frangarb wants to merge 2 commits into
Open
Refactor XFCE container startup for POSIX compliance, secure env forw…#4frangarb wants to merge 2 commits into
frangarb wants to merge 2 commits into
Conversation
…arding, and fail-safe execution
Harden XFCE session launcher for DroidSpaces
- Add set -eu and set -a/+a for safe, fail-fast env-file sourcing
- Always apply DISPLAY/PulseAudio/virgl setup (no longer skipped when
the env file exists)
- Add safe_chown to skip symlinks when chowning sockets in shared /tmp
- Assign explicit user:GID ownership via id -g (POSIX/BusyBox-safe,
replaces non-POSIX "chown user:")
- Validate that XFCE_USER exists and that its GID resolves
- Whitelist forwarded env vars to strict POSIX identifier names
- Detect util-linux su -w via anchored --help match; add quote-escaped
EXPORTS fallback for BusyBox/Alpine su
- Guard XFCE_USER with ${XFCE_USER:-} so set -u does not abort when unset
- Warn explicitly when falling back to root
Remove su -l in the whitelist path; -l reset the environment and silently defeated -w.
Single-quote XDG_RUNTIME_DIR inside every su -c string to prevent breakage on special characters.
Replace eval in the BusyBox fallback with printenv to remove a code-injection vector.
Gate PulseAudio/VirGL socket chown behind their config flags so stale sockets aren't re-owned.
Split the whitelist launch into explicit branches instead of a fragile ${VAR:+...} expansion that mangled -w args.
Guard su --help with || true so a non-zero exit doesn't abort under set -e.
safe_chown now handles dangling symlinks and uses chown -h (no link following).
Use numeric UID:GID for ownership consistently.
Fix DISPLAY parsing so TCP displays (host:5) resolve the socket path correctly.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Hardens the XFCE session launcher used in DroidSpaces containers, replacing
the previous best-effort script with a POSIX-portable, fail-fast version that
works on both util-linux and BusyBox/Alpine userspaces.
Why
The original script:
DISPLAY/PulseAudio/virgl setup only when the env file was absent,so those defaults were skipped whenever
/run/droidspaces.envexisted.chown "$XFCE_USER"and the non-POSIXchown user:idiom./tmpsockets without guarding against symlinks.su -wwas always available.Changes
set -eu; env file sourced underset -a/set +a.DISPLAY,PULSE_SERVER, andGALLIUM_DRIVERdefaults applied unconditionally via
: "${VAR:=default}".safe_chownskips non-existent paths and symlinks.user:GIDviaid -g; validatesXFCE_USERexistence and GID resolution with clear errors.
session-poisoning vars (
HOME,USER,XDG_RUNTIME_DIR, etc.).su --helpdetection for-w/--whitelist-environment; quote-escapedEXPORTSfallback for BusyBox su.XFCE_USERisroot, unset, or empty.Notes / limitations
:Ndisplays are supported (TCPhost:Nis not parsed).GNU
env -0), acceptable for the controlled DroidSpaces environment.