Non-root user arbitrary creation of projects?

decentral1se · August 21, 2024, 6:41am

I’m building a “self-service” graphical interface prototype for Incus which allows users to SSH into a TUI (terminal user interface) and administer their own instances.

So far, I’m running this interface as a user who is in the incus-admin group on the host system due to needing to create projects/networks/storage/profiles which are private for each user.

The interface uses standard SSH keys for authentication. Once instances are created, network forwarding from the host allows users to SSH directly into the instances, bypassing the TUI.

There’s no user input fields on the TUI and choice is restricted to specific functionality. However, ideally, this interface wouldn’t be running under incus-admin.

The idea is that users are trusted and the instances that are created are not privileged. However, it seems not ideal.

Is there any way to allow a host system user to create arbitrary projects which does not belong to the incus-admin user group?

Any hints are welcome!

stgraber · August 21, 2024, 7:13am

I’m not sure what that would achieve.
Anyone who’s allowed to create projects and/or modify project restrictions is able to give themself full root access on the host system.

decentral1se · August 21, 2024, 7:30am

Thanks, that makes it pretty clear I’ll re-work the approach to have system users of group incus work within their own default projects.

simos · August 21, 2024, 8:22am

If you were to use security.nesting and then in each container of your users you would install a separate installation of Incus, wouldn’t that solve the issue?
The users would SSH into their own container.