fix(docker): add SETUID/SETGID caps so gosu drop in entrypoint succeeds

The Docker terminal backend runs containers with `--cap-drop ALL` and re-adds only DAC_OVERRIDE, CHOWN, FOWNER. Since commit fee0e0d3 ("run as non-root user, use virtualenv") the image entrypoint drops from root to the `hermes` user via `gosu`, which requires CAP_SETUID and CAP_SETGID. Without them every sandbox container exits immediately with: Dropping root privileges error: failed switching to 'hermes': operation not permitted Breaking every terminal/file tool invocation in `terminal.backend: docker` mode. Fix: add SETUID and SETGID to the cap-add list. The `no-new-privileges` security-opt is kept, so gosu still cannot escalate back to root after the one-way drop — the hardening posture is preserved. Reproduction ------------ With any image whose ENTRYPOINT calls `gosu <user>`, the container exits immediately under the pre-fix cap set. Post-fix, the drop succeeds and the container proceeds normally. docker run --rm \ --cap-drop ALL \ --cap-add DAC_OVERRIDE --cap-add CHOWN --cap-add FOWNER \ --security-opt no-new-privileges \ --entrypoint /usr/local/bin/gosu \ hermes-claude:latest hermes id # -> error: failed switching to 'hermes': operation not permitted # Same command with SETUID+SETGID added: # -> uid=10000(hermes) gid=10000(hermes) groups=10000(hermes) Tests ----- Added `test_security_args_include_setuid_setgid_for_gosu_drop` that asserts both caps are present and the overall hardening posture (cap-drop ALL + no-new-privileges) is preserved. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-25 00:51:20 +00:00 · 2026-04-21 08:27:53 +03:00 · 2026-04-21 08:27:53 +03:00 · a3014a4481
commit a3014a4481
parent c345ec9a63
2 changed files with 34 additions and 0 deletions
--- a/tests/tools/test_docker_environment.py
+++ b/tests/tools/test_docker_environment.py
@ -382,3 +382,31 @@ def test_normalize_env_dict_rejects_complex_values():
        "BAD_DICT": {"nested": True},
    })
    assert result == {"GOOD": "string"}
+
+
+def test_security_args_include_setuid_setgid_for_gosu_drop():
+    """_SECURITY_ARGS must include SETUID and SETGID so the image entrypoint
+    can drop from root to the non-root `hermes` user via gosu.
+
+    Without these caps gosu exits with
+    ``error: failed switching to 'hermes': operation not permitted``
+    and the container exits immediately (exit 1) before running any work.
+
+    `no-new-privileges` is kept, so gosu still cannot escalate back to root
+    after the drop — the drop is a one-way transition performed before the
+    `no_new_privs` bit is enforced on the exec boundary.
+    """
+    args = docker_env._SECURITY_ARGS
+
+    # Flatten to set of added caps for clarity.
+    added = {
+        args[i + 1]
+        for i, flag in enumerate(args[:-1])
+        if flag == "--cap-add"
+    }
+    assert "SETUID" in added, "SETUID cap missing — gosu drop in entrypoint will fail"
+    assert "SETGID" in added, "SETGID cap missing — gosu drop in entrypoint will fail"
+
+    # Sanity: the hardening posture is still in place.
+    assert "--cap-drop" in args and "ALL" in args
+    assert "--security-opt" in args and "no-new-privileges" in args