Skip to content

Instantly share code, notes, and snippets.

@vejeta

vejeta/stremio-nonroot-secure.sh

Last active October 28, 2025 21:02
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save vejeta/859f100ef74b87eadf7f7541ead2a2b1 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save vejeta/859f100ef74b87eadf7f7541ead2a2b1 to your computer and use it in GitHub Desktop.
Download ZIP
Running stremio in wolfi
Raw
stremio-nonroot-secure.sh
#!/bin/bash
# stremio-nonroot-secure.sh
# Secure nonroot execution for Stremio in production environments
# Implements security best practices for containerized GUI applications
set -e
# Detect system configuration
VIDEO_GID=$(stat -c "%g" /dev/dri/card0)
RENDER_GID=$(stat -c "%g" /dev/dri/renderD128)
AUDIO_GID=$(getent group audio | cut -d: -f3)
USER_UID=$(id -u)
USER_GID=$(id -g)
echo "=== Stremio - Secure Nonroot Execution ==="
echo "Configuration:"
echo " User UID:GID = $USER_UID:$USER_GID"
echo " Video GID = $VIDEO_GID"
echo " Render GID = $RENDER_GID"
echo " Audio GID = $AUDIO_GID"
echo " DISPLAY = $DISPLAY"
echo ""
# Generate X11 authentication file for container
echo "Preparing X11 authentication..."
XAUTH_TMP="/tmp/.docker-stremio-$USER_UID.xauth"
touch "$XAUTH_TMP"
xauth nlist "$DISPLAY" | sed -e 's/^..../ffff/' | xauth -f "$XAUTH_TMP" nmerge -
echo "Starting Stremio container..."
echo ""
docker run --rm -it \
--name stremio-secure \
--user "$USER_UID:$USER_GID" \
--group-add "$VIDEO_GID" \
--group-add "$RENDER_GID" \
--group-add "$AUDIO_GID" \
--security-opt=no-new-privileges:true \
--cap-drop=ALL \
-e DISPLAY="$DISPLAY" \
-e XAUTHORITY="/tmp/.Xauthority" \
-e PULSE_SERVER="unix:/tmp/pulse-socket" \
-e HOME="/home/nonroot" \
-v /tmp/.X11-unix:/tmp/.X11-unix:rw \
-v "$XAUTH_TMP:/tmp/.Xauthority:ro" \
-v "/run/user/$USER_UID/pulse/native:/tmp/pulse-socket:ro" \
--device /dev/dri:/dev/dri \
--device /dev/snd:/dev/snd \
--ipc=host \
--read-only \
--tmpfs /tmp:rw,noexec,nosuid,size=2g \
--tmpfs /home/nonroot:rw,exec,nosuid,uid=$USER_UID,gid=$USER_GID,size=100m \
--network host \
cgr.dev/chainguard/stremio
# Cleanup
echo ""
echo "Cleaning up X11 authentication file..."
rm -f "$XAUTH_TMP"
echo "=== Stremio exited ==="
Raw
stremio-root-simple.sh
#!/bin/bash
# stremio-root-simple.sh
# Simple root execution for Stremio - easier setup, less secure
# Use for testing or when security is not a primary concern
set -e
USER_UID=$(id -u)
echo "=== Stremio - Simple Root Execution ==="
echo "WARNING: Running as root - less secure but simpler setup"
echo ""
docker run --rm -it \
--name stremio \
--user root \
-e DISPLAY="$DISPLAY" \
-e PULSE_SERVER="unix:/tmp/pulse-socket" \
-v /tmp/.X11-unix:/tmp/.X11-unix:rw \
-v "$HOME/.Xauthority:/root/.Xauthority:ro" \
-v "/run/user/$USER_UID/pulse/native:/tmp/pulse-socket:ro" \
--device /dev/dri \
--device /dev/snd \
--ipc=host \
--shm-size=1g \
--network host \
cgr.dev/chainguard/stremio
echo ""
echo "=== Stremio exited ==="
@vejeta
Copy link
Author

vejeta commented Oct 28, 2025

PR for wolfi with the stremio packaging: wolfi-dev/os#69098
The previous scripts will work when the PR is merged.

In the meanwhile other ways of testing this, if you checkout my branch is:

FOR NON-ROOT USERS:

#!/bin/bash
# stremio-nonroot-secure.sh - The correct and secure way!

# This WORKS for NON ROOT USERS!

set -e

VIDEO_GID=$(stat -c "%g" /dev/dri/card0)
RENDER_GID=$(stat -c "%g" /dev/dri/renderD128)
AUDIO_GID=$(getent group audio | cut -d: -f3)
USER_UID=$(id -u)
USER_GID=$(id -g)

echo "=== Configuración detectada ==="x
echo "User UID:GID = $USER_UID:$USER_GID"
echo "Video GID = $VIDEO_GID"
echo "Render GID = $RENDER_GID"
echo "Audio GID = $AUDIO_GID"
echo "DISPLAY = $DISPLAY"
echo ""

# Generar XAUTHORITY para el contenedor
echo "=== Preparando X11 authentication ===" 
XAUTH_TMP="/tmp/.docker-stremio.xauth"
touch "$XAUTH_TMP"
xauth nlist "$DISPLAY" | sed -e 's/^..../ffff/' | xauth -f "$XAUTH_TMP" nmerge -

echo "=== Ejecutando Stremio como nonroot (secure) ==="
docker run --rm -it \
  --name stremio-secure \
  --user "$USER_UID:$USER_GID" \
  --group-add "$VIDEO_GID" \
  --group-add "$RENDER_GID" \
  --group-add "$AUDIO_GID" \
  --security-opt=no-new-privileges:true \
  --cap-drop=ALL \
  -e DISPLAY="$DISPLAY" \
  -e XAUTHORITY="/tmp/.Xauthority" \
  -e PULSE_SERVER="unix:/tmp/pulse-socket" \
  -e HOME="/home/nonroot" \
  -v /tmp/.X11-unix:/tmp/.X11-unix:rw \
  -v "$XAUTH_TMP:/tmp/.Xauthority:ro" \
  -v "/run/user/$USER_UID/pulse/native:/tmp/pulse-socket:ro" \
  --device /dev/dri:/dev/dri \
  --device /dev/snd:/dev/snd \
  --ipc=host \
  --read-only \
  --tmpfs /tmp:rw,noexec,nosuid,size=2g \
  --tmpfs /home/nonroot:rw,exec,nosuid,uid=$USER_UID,gid=$USER_GID,size=100m \
  --network host \
  stremio:nonroot \
  sh -c 'id && ls -la /dev/dri && stremio'

# Cleanup
rm -f "$XAUTH_TMP"

echo ""
echo "=== Cleaned up ==="

e.g.: FOR ROOT USERS WITH INTEL HARDWARE:

#!/bin/bash
# test-stremio-intel-drivers.sh
#THIS WORKS PERFECTLY

USER_UID=$(id -u)
PACKAGES_DIR="$HOME/development/wolfi/wolfi-packages/x86_64"

docker run --rm -it \
  --user root \
  -e DISPLAY="$DISPLAY" \
  -e PULSE_SERVER="unix:/tmp/pulse-socket" \
  -e LIBVA_DRIVER_NAME="iHD" \
  -v /tmp/.X11-unix:/tmp/.X11-unix:rw \
  -v "$HOME/.Xauthority:/root/.Xauthority:ro" \
  -v "/run/user/$USER_UID/pulse/native:/tmp/pulse-socket:ro" \
  -v "$PACKAGES_DIR:/packages:ro" \
  --device /dev/dri \
  --device /dev/snd \
  --ipc=host \
  --shm-size=1g \
  --network host \
  cgr.dev/chainguard/wolfi-base \
  /bin/sh -c '
    apk update
    apk add fontconfig font-noto pulseaudio
    
    echo "=== Instalando drivers Intel específicos ==="
    apk add \
      mesa-dri-gallium \
      mesa-va-gallium \
      intel-media-driver \
      libva-intel-driver
    
    apk add --allow-untrusted /packages/*.apk
    
    echo ""
    echo "=== Verificando drivers ==="
    ls -la /usr/lib/dri/ | grep i9
    
    echo ""
    stremio
  '

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment