back to home

tianon / gosu

Simple Go-based setuid+setgid+setgroups+exec

4,954 stars
356 forks
7 issues
ShellGoDockerfile
Chat with CodebaseArchitecture ScanSecurity AuditExplain Codebase

AI Architecture Analysis

This repository is indexed by RepoMind. By analyzing tianon/gosu in our AI interface, you can instantly generate complete architecture diagrams, visualize control flows, and perform automated security audits across the entire codebase.

Our Agentic Context Augmented Generation (Agentic CAG) engine loads full source files into context on-demand, avoiding the fragmentation of traditional RAG systems. Ask questions about the architecture, dependencies, or specific features to see it in action.

Source files are only loaded when you start an analysis to optimize performance.
Click here to launch the interactive analysis workspace

Embed this Badge

Showcase RepoMind's analysis directly in your repository's README.

[![Analyzed by RepoMind](https://img.shields.io/badge/Analyzed%20by-RepoMind-4F46E5?style=for-the-badge)](https://repomind.in/repo/tianon/gosu)
Preview:Analyzed by RepoMind

Repository Overview (README excerpt)

Crawler view

gosu This is a simple tool grown out of the simple fact that and have very strange and often annoying TTY and signal-forwarding behavior. They're also somewhat complex to setup and use (especially in the case of ), which allows for a great deal of expressivity, but falls flat if all you need is "run this specific application as this specific user and get out of the pipeline". The core of how works is stolen directly from how Docker/libcontainer itself starts an application inside a container (and in fact, is using the processing code directly from libcontainer's codebase). Once the user/group is processed, we switch to that user, then we the specified process and itself is no longer resident or involved in the process lifecycle at all. This avoids all the issues of signal passing and TTY, and punts them to the process invoking and the process being invoked by , where they belong. Warning The core use case for is to step _down_ from to a non-privileged user during container startup (specifically in the , usually). Uses of beyond that could very well suffer from vulnerabilities such as CVE-2016-2779 (from which the Docker use case naturally shields us); see for some discussion around this point. Installation High-level steps: • download as • download as • fetch my public key (to verify your download): • • For explicit instructions, see . Why? Additionally, due to the fact that is using Docker's own code for processing these , it has exact 1:1 parity with Docker's own flag. If you're curious about the edge cases that handles, see for the "test suite" (and the associated script that wraps this up for testing arbitrary binaries). (Note that has different goals from this project, and it is *not* intended to be a replacement; for example, see this Stack Overflow answer for a short explanation of why does + instead of just .) Alternatives Available in newer ( , in Debian; https://manpages.debian.org/buster/util-linux/setpriv.1.en.html): With the flag, can provide similar benefits/behavior: In the Alpine Linux ecosystem, is a minimal re-write of in C, making for a much smaller binary, and is available in the Alpine package repository. Versions older than 0.3 had a pretty severe parser bug, so make sure you're using version 0.3 or above. Others I'm not terribly familiar with them, but a few other alternatives I'm aware of include: • (part of )