allow running orjail without sudo by having orjail run sudo internally

[adrelanos]

The flowing is a bit strange.

sudo orjail -y touch a

Will the file be owned by root or user? -> user But why since the whole command runs under sudo? A bit unexpected.

vs

sudo orjail -y sudo touch a

Will the file be owned by root or user? -> root That syntax is a bit long though.

---

So I was wondering why not run orjail without sudo, and then orjail would internally use sudo whenever required?

Maybe orjail could be running under user orjail and user orjail would have /etc/sudoers.d/orjail exceptions to run the required commands (ip, iptables, ...) under root using sudo.

The end result could be:

• sudo orjail -y touch a -> owned by root
• orjail -y touch a -> owned by user

If you're interested in this, I could try to come up with a pull request since I have some experiences running applications under user something and then having /etc/sudoers.d/ exceptions to allow user something do run required commands as root.

[lesion]

seems reasonable, don't really know if I like it but I tried to experiment it in feat/nosudo branch (you can directly modify it).

notes: we're currently using sudo to drop privilege, this is not so good, we should probably use setuidgid, this is something important to investigate

[gibix]

90% of the work done by orjail requires sudo, I'm sure about hiding this in the script.

[tzugen]

netexec manages to run without sudo, maybe that could provide some pointers?