Recompile gosu with latest Go version

Gosu is a small, open-source tool that allows you to run a command as a different user or group, similar to the sudo command, but with more flexibility and control. It provides a way to execute a command with a specific user ID, group ID, and supplementary groups, making it useful for scenarios where you need to run a command with elevated privileges. Gosu is often used in Docker containers to run the application as non-root.

The issue at hand is that gosu, a popular tool, is currently built with Go 1.18.x, a deprecated version that is no longer receiving functional or vulnerability fixes.

In this article, we will walk you through a simple and effective solution to mitigate these security concerns by recompiling gosu with the latest Go version (1.21.4).

Recompiling Gosu with the Latest Go Version

To begin, let's check out the gosu Git repository and make a few modifications to the Dockerfile.

  1. Checkout the Gosu Git repo: Clone the Gosu repository from GitHub using the command git clone https://github.com/tianon/gosu.git.
  2. Update the Dockerfile: Open the Dockerfile and update the FROM instruction to FROM golang:1.21.4-bookworm. This will ensure that we're using the latest Go version to compile Gosu.
  3. Build the image: Run the command docker build -t my-gosu-image. to build a new image with the updated Go version.

Using Multi-Stage Builds to Copy the Gosu Binary

Now that we have a new image with the latest Go version, let's use a multi-stage build to copy the Gosu binary out and use it in our image.

Here's an example Dockerfile:

# Stage 1: Get gosu from another image
FROM tianon/gosu:latest AS gosu

# Stage 2: Your actual build
FROM your-base-image
ARG PLATFORM

COPY --from=gosu /go/bin/gosu-${PLATFORM} /usr/local/bin/gosu
RUN chmod +x /usr/local/bin/gosu

In this example, we're using the FROM instruction to create a new stage that copies the gosu binary from the gosu image. We then use the COPY instruction to copy the binary to our actual build stage. Remember to use the right platform, like amd64, arm64, i386, etc.

More information

GitHub - tianon/gosu: Simple Go-based setuid+setgid+setgroups+exec
Simple Go-based setuid+setgid+setgroups+exec. Contribute to tianon/gosu development by creating an account on GitHub.
Build gosu with a supported version of GO · Issue #136 · tianon/gosu
Go 1.18.x is deprecated and is not receiving functional or vulnerability fixes. Are there plans to update gosu to be built with a supported version of GO (1.20 and 1.21 are the current supported re...
fix: update runc dependency 5 patch versions to remediate vulnerabilities by mmccard · Pull Request #131 · tianon/gosu
runc v1.1.2 and v1.1.5 fix about 2 dozen Common Vulnerabilities and Exposures.tested locally with:./build.sh./test.sh ./gosu-amd64