Question 1

How does su-exec compare to gosu?

Accepted Answer

su-exec is a lighter, more minimalist alternative to gosu—10KB vs 1.8MB—and both solve TTY/signal issues in containers. However, gosu might have broader community support and features, while su-exec prioritizes size and simplicity for specific use cases.

Question 2

How to install su-exec in a Docker container?

Accepted Answer

You can copy the binary from an Alpine image or compile it from source. For example, add 'COPY --from=alpine:edge /sbin/su-exec /sbin/su-exec' to your Dockerfile, then use it in CMD or ENTRYPOINT with commands like 'su-exec nobody:ftp /app/start'.

Question 3

Why use su-exec instead of sudo in Docker?

Accepted Answer

su-exec avoids the child process hierarchy that sudo creates, which can mess up signals and TTYs in containers. It's also much smaller and designed specifically for containerized environments, reducing overhead and complexity.

Question 4

Does su-exec handle environment variables correctly?

Accepted Answer

su-exec executes the command directly, so environment variables are inherited from the parent process. However, it doesn't have built-in options to set or modify them, unlike some alternatives with more feature-rich designs.

Question 5

What are the security risks with su-exec?

Accepted Answer

Since su-exec requires root to run, improper use could allow privilege escalation or unintended access. Always validate user-spec inputs and restrict its usage to trusted scripts or containers to mitigate risks.

Question 6

Can su-exec work with systemd or init systems?

Accepted Answer

su-exec is a command-line tool focused on containers and scripts, so it might not integrate seamlessly with systemd's service management or other init systems that expect different privilege-switching mechanisms.

su-exec

What is su-exec?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Open Source Alternative To

Frequently Asked Questions