Why does minikube require passwordless sudo for podman?

Why does minikube require passwordless sudo for podman?

Minikube specifies,

Podman requirements passwordless running of sudo. If you run into an error about sudo, do the following:

They suggest adding

username ALL=(ALL) NOPASSWD: /usr/bin/podman

However, this must be very insecure as now you could do,

sudo podman run -ti -v /etc/shadow:/etc/shadow:rw alpine:3 /bin/sh

And not have to authenticate.

Why is this requirement in place? Is there an alternative?

答案1

This requirement is in place because they call sudo podman from their application. This is strange because minikube expects that an unprivileged user will run the application, then expects(needs) root privileges. Furthermore, minikube runs sudo non-interactively. Sudo isn't designed for that.

In terms of alternatives, most applications that need root privileges would detect whether they are root or not on launch, then fail if they aren't. Example:

$ dpkg -i *.deb
dpkg: error: requested operation requires superuser privilege
$ mount /dev/sda /mnt
mount: /mnt: must be superuser to use mount.

Can you imagine if apt put it's own passwordless entry into sudoers, then elevated itself instead of requiring the user's explicit consent?

The other option is applications will use polkit instead of sudo. polkit is like sudo for GUIs. It's non interactive with the application, but will use the polkit interface with your desktop environment to interact with the user and authenticate. If you're on gnome and see the screen go grey and a password prompt show up, that's polkit.

So really, I think it's poor design on minikube's part.

It appears podman needs root privileges. You as a user have three options:

  1. Give the minikube the passwordless sudo access as it wants to podman (this is weird).
  2. If you are ok with giving this software root access, run it as root. Use sudo minikube whenever you run it. If it is already root, it shouldn't need password-less sudo access anymore.
  3. If you're not ok giving it root access find different software.

相关内容