teleport service as non-root

[KasperSkytte]

Haven't been able to find anything in the docs or GitHub issues/discussions. But would it be possible to run the teleport service on a host without elevated privileges? So that I can login as a regular user not in /etc/sudoers, install teleport from source and then start a teleport service using teleport start --roles=node xxx to be able to connect to the particular node from other nodes in the cluster?

[KasperSkytte]

As mentioned here https://goteleport.com/docs/installation/#installing-from-source I need to make /var/lib/teleport writable for the particular user to be able to start the teleport service. Without that permission set I get the (expected) error:

ERROR: initialization failed
mkdir /var/lib/teleport: permission denied

[webvictim]

You can run the Teleport auth and proxy services as a non-root user without any trouble (as long as you grant read/write permissions on /var/lib/teleport to that user as you mentioned). Other Teleport agent services (like Kubernetes/Database/Application/Windows Desktop access) can also be run as a non-root user without any issues.

The one exception is that you can't run the Teleport node service (ssh_service) as a non-root user because it may need to spawn a shell as any user logging into the node (which could be root). It may be possible to work around this with capabilities/setuid, but I haven't ever tried it.

[KasperSkytte]

@webvictim Thank you. But with no privilege to set permissions on the /var/lib/teleport/ folder on the particular node(s), how would I go on? Can I set a different location? Otherwise I can't proceed.

[webvictim]

Yes, you can change the data_dir in Teleport's config file:

teleport:
  data_dir: /home/teleport/data

You can also write the config file to another location and pass this path to Teleport if you need: teleport start -c /home/teleport/config.yaml

[developer-guy]

Hi, we were trying to achieve same thing where we would like to run Teleport as non-root user but we noticed that there was an error like even if we grant root permissions for /var/lib/teleport/proc folder where the SQLite DB writes:

2024-06-04T20:44:01Z ERRO [SQLITE]    "Failing schema step: CREATE TABLE IF NOT EXISTS kv (\n           key TEXT NOT NULL PRIMARY KEY,\n           modified INTEGER NOT NULL,\n           expires DATETIME,\n
      value BLOB,\n           revision TEXT NOT NULL DEFAULT \"\"\n\t\t);\n        CREATE INDEX IF NOT EXISTS kv_expires ON kv (expires);, unable to open database file: permission denied." lite/lite.go:343
ERROR: initialization failed
        error creating schema: file:/var/lib/teleport/proc/sqlite.db?_busy_timeout=10000&_sync=FULL&_txlock=immediate
                unable to open database file: permission denied

Here is list of my file/folder permissions within the container.

bash-5.2$ ls -latr /var/lib/
total 24
drwxrwxrwx    3 nonroot  nonroot       4096 Jan  1  1970 teleport
drwx------    2 ftp      ftp           4096 Jan  1  1970 ftp
drwxr-xr-x    3 root     root          4096 Jan  1  1970 db
drwxr-xr-x    2 root     root          4096 Jan  1  1970 apk
drwxr-xr-x    9 root     root          4096 Jan  1  1970 ..
drwxr-xr-x    6 root     root          4096 Jan  1  1970 .

bash-5.2$ ls -latr /var/lib/teleport/
total 12
drwxrwxrwx    2 root     root          4096 Jan  1  1970 proc
drwxr-xr-x    6 root     root          4096 Jan  1  1970 ..
drwxrwxrwx    3 nonroot  nonroot       4096 Jan  1  1970 .
bash-5.2$

We were using the teleport-cluster Helm Chart to deploy Teleport, https://charts.releases.teleport.dev/, so, we just changed the name of the container image, that's all.

cc @mamccorm @webvictim

[webvictim]

What are the permissions on /var/lib/teleport/proc/sqlite.db itself, and what is the output of ps -ef | grep teleport?

There's also other ways to remap UID/GID and filesystem permissions inside containers, so I'm curious what your actual Deployment in Kubernetes looks like...

[developer-guy]

What are the permissions on /var/lib/teleport/proc/sqlite.db itself, and what is the output of ps -ef | grep teleport?

bash-5.2$ ls -latr /var/lib/teleport/proc/
total 80
-rw-------    1 nonroot  nonroot      65536 Jun  5 17:51 sqlite.db
drwxrwxrwx    1 nonroot  nonroot       4096 Jun  5 17:51 ..
drwxrwxrwx    1 root     root          4096 Jun  5 17:51 .
bash-5.2$ ls -latr /var/lib/teleport/
total 40
drwxr-xr-x    1 root     root          4096 Jan  1  1970 ..
-r--------    1 nonroot  nonroot         36 Jun  5 17:51 host_uuid
-rw-------    1 nonroot  nonroot       1679 Jun  5 17:51 webproxy_key.pem
-rw-------    1 nonroot  nonroot       1334 Jun  5 17:51 webproxy_cert.pem
drwxrwxrwx    1 root     root          4096 Jun  5 17:51 proc
drwxr-x---    6 nonroot  nonroot       4096 Jun  5 17:51 log
drwxrwxrwx    1 nonroot  nonroot       4096 Jun  5 17:51 .
drwx------    2 nonroot  nonroot       4096 Jun  5 17:51 backend
bash-5.2$

this is from the container where I ran locally because this container didn't start up in cluster here is the deployment of the Teleport:

apiVersion: apps/v1
kind: Deployment
metadata:
  annotations:
    deployment.kubernetes.io/revision: "2"
    meta.helm.sh/release-name: teleport-cluster
    meta.helm.sh/release-namespace: teleport-cluster
  labels:
    app: teleport-cluster
    app.kubernetes.io/component: auth
    app.kubernetes.io/instance: teleport-cluster
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: teleport-cluster
    app.kubernetes.io/version: 15.4.0
    helm.sh/chart: teleport-cluster-15.4.0
    teleport.dev/majorVersion: "15"
  name: teleport-cluster-auth
  namespace: teleport-cluster
spec:
  progressDeadlineSeconds: 600
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      app.kubernetes.io/component: auth
      app.kubernetes.io/instance: teleport-cluster
      app.kubernetes.io/name: teleport-cluster
  strategy:
    type: Recreate
  template:
    metadata:
      annotations:
        checksum/config: dd50066cc72100cb74ab8cd85fcbcbaf0878a3c5f00424e9382b215cd68a3fc5
      creationTimestamp: null
      labels:
        app: teleport-cluster
        app.kubernetes.io/component: auth
        app.kubernetes.io/instance: teleport-cluster
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/name: teleport-cluster
        app.kubernetes.io/version: 15.4.0
        helm.sh/chart: teleport-cluster-15.4.0
        teleport.dev/majorVersion: "15"
    spec:
      automountServiceAccountToken: false
      containers:
      - args:
        - --diag-addr=0.0.0.0:3000
        - --apply-on-startup=/etc/teleport/apply-on-startup.yaml
        image: my-teleport-image
        imagePullPolicy: Always
        lifecycle:
          preStop:
            exec:
              command:
              - teleport
              - wait
              - duration
              - 30s
        livenessProbe:
          failureThreshold: 6
          httpGet:
            path: /healthz
            port: diag
            scheme: HTTP
          initialDelaySeconds: 5
          periodSeconds: 5
          successThreshold: 1
          timeoutSeconds: 1
        name: teleport
        ports:
        - containerPort: 3000
          name: diag
          protocol: TCP
        - containerPort: 3025
          name: auth
          protocol: TCP
        - containerPort: 3026
          name: kube
          protocol: TCP
        readinessProbe:
          failureThreshold: 12
          httpGet:
            path: /readyz
            port: diag
            scheme: HTTP
          initialDelaySeconds: 5
          periodSeconds: 5
          successThreshold: 1
          timeoutSeconds: 1
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /etc/teleport
          name: config
          readOnly: true
        - mountPath: /var/lib/teleport
          name: data
        - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
          name: auth-serviceaccount-token
          readOnly: true
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      serviceAccount: teleport-cluster
      serviceAccountName: teleport-cluster
      terminationGracePeriodSeconds: 60
      volumes:
      - name: auth-serviceaccount-token
        projected:
          defaultMode: 420
          sources:
          - serviceAccountToken:
              expirationSeconds: 3600
              path: token
          - configMap:
              items:
              - key: ca.crt
                path: ca.crt
              name: kube-root-ca.crt
          - downwardAPI:
              items:
              - fieldRef:
                  apiVersion: v1
                  fieldPath: metadata.namespace
                path: namespace
      - configMap:
          defaultMode: 420
          name: teleport-cluster-auth
        name: config
      - name: data
        persistentVolumeClaim:
          claimName: teleport-cluster

Thanks.

[developer-guy]

kindly ping @webvictim

[webvictim]

I see that the permissions on /var/lib/teleport/proc/sqlite.db itself are chmod 600 i.e. only the nonroot user can read/write, and no other user can even see that the file exists. It would be worth making sure that you chown -R nonroot:nonroot /var/lib/teleport/proc/sqlite.db to ensure that the full chain of permissions is correct on the file.

I also don't see where you've defined the use of a non-root user in your Deployment?

[developer-guy]

I see that the permissions on /var/lib/teleport/proc/sqlite.db itself are chmod 600 i.e. only the nonroot user can read/write, and no other user can even see that the file exists.

I'm not the one who creates that file, teleport creates it.

I also don't see where you've defined the use of a non-root user in your Deployment?

I created nonroot (65532) user at image level, so, my container started up as nonroot user.