Running xrdp (and sesman) as one (non-root) user and logging in as another

[kalelkenobi]

Hi there,
I've been trying to get an xrdp container up and running. The container is started as user 'kalel' and so are the xrdp and xrdp-sesman processes; as you can imagine I'm able to remote into the container with user kalel with no problems, but if I try to log in as any other user I start running into problems. I got as far as logging in as user "goofy" and getting a session to start, however the session process is still started as user "kalel", NOT "goofy". I got this far by giving user 'kalel' read permission on the /etc/shadow file, but I'm now stuck. My question is: is this even possible? could I get this to work by, for example, giving 'kalel' permssion to "su -" as someone else?
I'd appreciate any help you guys can give me.

[matt335672]

If you're running the user sessions entirely in your container, this should be possible (I think).

To start a process as another user, sesman needs to be running as root. Presumably it is in the container(?), and also as user 'kalei' on the host.

First thing to do would be to get up a root shell in the container and check it can switch to goofy using su or sudo,or whatever.

[kalelkenobi]

My problem is exactly this: sesman needs to be running as root. I'm trying to run it as anything other than root. Do you think is it at all possible?

[matt335672]

sesman creates a new session by forking and changing its uid and gid to the target user's uid and gid. To do this, it needs to be root in the environment it finds itself in.

If you're in a container, it should be possible for sesman to be root in that container and to be "kalei" on the host.

[matt335672]

For Linux you might be able to give your user the CAP_SETUID capability. Or you could write a small setuid executable that checks the user it's called with, and then execs sesman. Both of these require some programming however.

[kalelkenobi]

could you possibly give me some pointers on how to do that. I don't have a problem with programming but a nudge would be awesome.

[matt335672]

I think I'd better pass. It's a complex area, and easy to make mistakes. You need to do your own research into the risks associated with such an approach.

[kalelkenobi]

Thanks to your input @matt335672 I think I got it to work!!
For anyone who might be interested:
Adding this to the Dockerfile
RUN setcap cap_kill,cap_setuid,cap_setgid+ep /usr/sbin/xrdp-sesman
enables the xrdp-sesman process to change UID, GID and kill other processes regardless of the user launching it. I'm not sure if this makes the container less secure than what it would be with xrdp-sesman running as root, but every feedback is more than welcome. Thanks again for your valuable pointer @matt335672, I couldn't have done it without it.