Code-server: Running in sudo will not let me use custom passwords

Created on 5 Nov 2019  路  4Comments  路  Source: cdr/code-server


  • code-server version: code-server2.1665-vsc1.39.2-linux-x86_64
  • OS Version: Ubuntu 18.04, Google Cloud Platform Compute Engine

Description

When I try to run ./code-server binary in port 80, it says that the permission is denied to 0.0.0.0:80. Then, I tried sudo ./code-server --port 80, which works but has one problem.
When I don't use sudo to run code-server, it would pull up the PASSWORD env variable from my bash that I set. If I use sudo command to run my server in port 80, it would not pull up my PASSWORD variable even though I exported and create a random password.

I tried using .bashrc and locally, like

  1. In ~/.bashrc
    export PASSWORD="thepasswordiuse"

  1. In console
    $ export PASSWORD="thepasswordiuse"
    $ sudo ./code-server --auth password --port 80

  2. One line
    $ export PASSWORD="thepasswordiuse" sudo ./code-server --auth password --port 80

All of these didn't work.

Steps to Reproduce

  1. Export your custom password variable.
  2. Use sudo command when running the code-server binary to use port 80.
bug
Source
picture Taewan-P

Most helpful comment

You can also use setcap to allow code server to bind to port 80 without root

sudo setcap CAP_NET_BIND_SERVICE=+eip ./code-server
picture coadler on 5 Nov 2019
👍2

All 4 comments

The environment variable is set for your user, not root. You could:

sudo PASSWORD="pass" ./code-server

Or su first, run the export command, then run code-server.

Or try the -E switch on sudo which preserves the local environment
variables.

Although in case you haven't considered this already this means
code-server will run as root so you might be better off running a
reverse proxy on 80 and proxy to code-server instead so you can run it
as a normal user.

code-asher picture code-asher on 5 Nov 2019
👍2

You can also use setcap to allow code server to bind to port 80 without root

sudo setcap CAP_NET_BIND_SERVICE=+eip ./code-server
coadler picture coadler on 5 Nov 2019
👍2

For the environment variable set, doing
sudo PASSWORD="password" didn't work for me. It would just show up sudo usage and not export the variable. Same to sudo export PASSWORD="password".

Eventually, Doing the '-E' option on sudo worked for me. Thank you!

Taewan-P picture Taewan-P on 6 Nov 2019

An alternative is to do what I do for setting environment variables in sudo...

sudo bash -c "PASSWORD='password' exec ./code-server"

WARNING: If you can do that, it also means the user also has full root access to root at any time!
This may not be desirable for many environments, as it could provide a security hole, should someone gain a user shell, via some bug. It may be better to adjust sudo to allow PASSWORD environment variable to be passed (in a limited environment such as docker). Or provide a wrapper that would start code-server in the exact specific way desired, and sudo to it. Only root should have write access to that wrapper, or you again open a security hole.

antofthy picture antofthy on 9 Nov 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

lshamis picture lshamis  路  3Comments
grant picture grant  路  3Comments
pchecinski picture pchecinski  路  3Comments
broady picture broady  路  3Comments
pchecinski picture pchecinski  路  3Comments