Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion docker/netclaw-cli-launcher.sh
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,6 @@ set -eu
REAL=/opt/netclaw/cli/netclaw

if [ "$(id -u)" = 0 ]; then
echo "[netclaw] invoked as root; dropping to the 'netclaw' user (ADR-004)." >&2
export HOME=/home/netclaw
exec gosu netclaw "$REAL" "$@"
fi
Expand Down
15 changes: 3 additions & 12 deletions scripts/docker/test-nonroot-cli.sh
Original file line number Diff line number Diff line change
Expand Up @@ -15,9 +15,8 @@
# breakage path — a root `docker exec -- netclaw <cmd>` — and asserts:
#
# Phase A — a root-context CLI invocation succeeds and drops to netclaw:
# `docker exec` (default user = root) running `netclaw --version` must exit 0,
# print a version (NOT the EACCES bundle-extraction error), and emit the
# launcher's drop breadcrumb on stderr (proving it re-execed as netclaw).
# `docker exec` (default user = root) running `netclaw --version` must exit 0
# and print a version (NOT the EACCES bundle-extraction error).
#
# Phase B — it leaves NOTHING root-owned under the netclaw home:
# After root-context CLI runs (incl. the offline `doctor`, which touches
Expand Down Expand Up @@ -87,13 +86,8 @@ echo " stdout: $out (rc=$rc)"
[[ "$rc" -eq 0 ]] || fail "root 'netclaw --version' exited $rc (the bundle-extraction EACCES regression?)"
echo "$out" | grep -qi 'netclaw' || fail "root 'netclaw --version' did not print a version: $out"

# stderr must carry the launcher's drop breadcrumb -> proves it re-execed as netclaw.
err="$(docker exec "$CONTAINER" netclaw --version 2>&1 1>/dev/null)" || true
echo " stderr: $err"
echo "$err" | grep -qi "dropping to the 'netclaw' user" \
|| fail "launcher did not report dropping to the netclaw user — is /usr/local/bin/netclaw still the self-dropping launcher?"

# Belt-and-suspenders: the failure mode's signature must never appear.
err="$(docker exec "$CONTAINER" netclaw --version 2>&1 1>/dev/null)" || true
if echo "$out $err" | grep -qiE 'Failed to create directory|Error code: 13|Failure processing application bundle'; then
fail "bundle-extraction failure signature present — root CLI was not dropped"
fi
Expand All @@ -113,9 +107,6 @@ echo "==> Phase C: 'docker exec -u netclaw -- netclaw --version' (no double drop
rc=0
cout="$(docker exec -u netclaw "$CONTAINER" netclaw --version 2>/dev/null)" || rc=$?
[[ "$rc" -eq 0 ]] || fail "'netclaw --version' as the netclaw user exited $rc"
cerr="$(docker exec -u netclaw "$CONTAINER" netclaw --version 2>&1 1>/dev/null)" || true
echo "$cerr" | grep -qi "dropping to the 'netclaw' user" \
&& fail "launcher dropped privileges even though it was already the netclaw user (should exec directly)"
assert_no_root_owned "Phase C"

# ── Phase D: daemon still healthy after all the exec traffic ─────────────────
Expand Down
Loading