fix: drop perms for boundary process (#512 )

feat: dropping perms before running claude (#509 )
Co-authored-by: DevCats <christofer@coder.com> Co-authored-by: Atif Ali <atif@coder.com>
2026-06-03 13:08:14 +00:00 · 2025-10-24 21:23:42 -04:00 · 2025-10-24 15:35:20 -05:00 · 2025-10-24 23:14:34 +05:00 · 2025-10-24 17:47:51 +00:00
6 changed files with 22 additions and 32 deletions
@@ -13,7 +13,7 @@ Run the [Claude Code](https://docs.anthropic.com/en/docs/agents-and-tools/claude
 ```tf
 module "claude-code" {
  source         = "registry.coder.com/coder/claude-code/coder"
-  version        = "3.3.0"
+  version        = "3.3.3"
  agent_id       = coder_agent.example.id
  workdir        = "/home/coder/project"
  claude_api_key = "xxxx-xxxxx-xxxx"
@@ -51,7 +51,7 @@ module "claude-code" {
  boundary_log_level               = "WARN"
  boundary_additional_allowed_urls = ["GET *google.com"]
  boundary_proxy_port              = "8087"
-  version                          = "3.3.0"
+  version                          = "3.3.3"
 }
 ```

@@ -70,7 +70,7 @@ data "coder_parameter" "ai_prompt" {

 module "claude-code" {
  source   = "registry.coder.com/coder/claude-code/coder"
-  version  = "3.3.0"
+  version  = "3.3.3"
  agent_id = coder_agent.example.id
  workdir  = "/home/coder/project"

@@ -106,7 +106,7 @@ Run and configure Claude Code as a standalone CLI in your workspace.
 ```tf
 module "claude-code" {
  source              = "registry.coder.com/coder/claude-code/coder"
-  version             = "3.3.0"
+  version             = "3.3.3"
  agent_id            = coder_agent.example.id
  workdir             = "/home/coder"
  install_claude_code = true
@@ -129,7 +129,7 @@ variable "claude_code_oauth_token" {

 module "claude-code" {
  source                  = "registry.coder.com/coder/claude-code/coder"
-  version                 = "3.3.0"
+  version                 = "3.3.3"
  agent_id                = coder_agent.example.id
  workdir                 = "/home/coder/project"
  claude_code_oauth_token = var.claude_code_oauth_token
@@ -202,7 +202,7 @@ resource "coder_env" "bedrock_api_key" {

 module "claude-code" {
  source   = "registry.coder.com/coder/claude-code/coder"
-  version  = "3.3.0"
+  version  = "3.3.3"
  agent_id = coder_agent.example.id
  workdir  = "/home/coder/project"
  model    = "global.anthropic.claude-sonnet-4-5-20250929-v1:0"
@@ -259,7 +259,7 @@ resource "coder_env" "google_application_credentials" {

 module "claude-code" {
  source   = "registry.coder.com/coder/claude-code/coder"
-  version  = "3.3.0"
+  version  = "3.3.3"
  agent_id = coder_agent.example.id
  workdir  = "/home/coder/project"
  model    = "claude-sonnet-4@20250514"
@@ -91,11 +91,6 @@ function report_tasks() {
    export CODER_MCP_APP_STATUS_SLUG="$ARG_MCP_APP_STATUS_SLUG"
    export CODER_MCP_AI_AGENTAPI_URL="http://localhost:3284"
    coder exp mcp configure claude-code "$ARG_WORKDIR"
-  else
-    export CODER_MCP_APP_STATUS_SLUG=""
-    export CODER_MCP_AI_AGENTAPI_URL=""
-    echo "Configuring Claude Code with Coder MCP..."
-    coder exp mcp configure claude-code "$ARG_WORKDIR"
  fi
 }

@@ -79,6 +79,9 @@ task_session_exists() {
 ARGS=()

 function start_agentapi() {
+  # For Task reporting
+  export CODER_MCP_ALLOWED_TOOLS="coder_report_task"
+
  mkdir -p "$ARG_WORKDIR"
  cd "$ARG_WORKDIR"

@@ -163,18 +166,10 @@ function start_agentapi() {
      BOUNDARY_ARGS+=(--pprof-port ${ARG_BOUNDARY_PPROF_PORT})
    fi

-    # Remove --dangerously-skip-permissions from ARGS when using boundary (it doesn't work with elevated permissions)
-    # Create a new array without the dangerous permissions flag
-    CLAUDE_ARGS=()
-    for arg in "${ARGS[@]}"; do
-      if [ "$arg" != "--dangerously-skip-permissions" ]; then
-        CLAUDE_ARGS+=("$arg")
-      fi
-    done
-
    agentapi server --allowed-hosts="*" --type claude --term-width 67 --term-height 1190 -- \
-      sudo -E env PATH=$PATH setpriv --inh-caps=+net_admin --ambient-caps=+net_admin --bounding-set=+net_admin boundary "${BOUNDARY_ARGS[@]}" -- \
-      claude "${CLAUDE_ARGS[@]}"
+      sudo -E env PATH=$PATH setpriv --reuid=$(id -u) --regid=$(id -g) --clear-groups \
+      --inh-caps=+net_admin --ambient-caps=+net_admin --bounding-set=+net_admin boundary "${BOUNDARY_ARGS[@]}" -- \
+      claude "${ARGS[@]}"
  else
    agentapi server --type claude --term-width 67 --term-height 1190 -- claude "${ARGS[@]}"
  fi
@@ -14,7 +14,7 @@ Automatically install [KasmVNC](https://kasmweb.com/kasmvnc) in a workspace, and
 module "kasmvnc" {
  count               = data.coder_workspace.me.start_count
  source              = "registry.coder.com/coder/kasmvnc/coder"
-  version             = "1.2.4"
+  version             = "1.2.5"
  agent_id            = coder_agent.example.id
  desktop_environment = "xfce"
  subdomain           = true
@@ -23,7 +23,7 @@ variable "port" {
 variable "kasm_version" {
  type        = string
  description = "Version of KasmVNC to install."
-  default     = "1.3.2"
+  default     = "1.4.0"
 }

 variable "desktop_environment" {
@@ -8,10 +8,10 @@ error() {
  exit 1
 }

-# Function to check if vncserver is already installed
+# Function to check if KasmVNC is already installed
 check_installed() {
-  if command -v vncserver &> /dev/null; then
-    echo "vncserver is already installed."
+  if command -v kasmvncserver &> /dev/null; then
+    echo "KasmVNC is already installed."
    return 0 # Don't exit, just indicate it's installed
  else
    return 1 # Indicates not installed
@@ -158,7 +158,7 @@ case "$arch" in
    ;;
 esac

-# Check if vncserver is installed, and install if not
+# Check if KasmVNC is installed, and install if not
 if ! check_installed; then
  # Check for NOPASSWD sudo (required)
  if ! command -v sudo &> /dev/null || ! sudo -n true 2> /dev/null; then
@@ -188,7 +188,7 @@ if ! check_installed; then
      ;;
  esac
 else
-  echo "vncserver already installed. Skipping installation."
+  echo "KasmVNC already installed. Skipping installation."
 fi

 if command -v sudo &> /dev/null && sudo -n true 2> /dev/null; then
@@ -227,7 +227,7 @@ EOF
 # This password is not used since we start the server without auth.
 # The server is protected via the Coder session token / tunnel
 # and does not listen publicly
-echo -e "password\npassword\n" | vncpasswd -wo -u "$USER"
+echo -e "password\npassword\n" | kasmvncpasswd -wo -u "$USER"

 get_http_dir() {
  # determine the served file path
@@ -290,7 +290,7 @@ VNC_LOG="/tmp/kasmvncserver.log"
 printf "🚀 Starting KasmVNC server...\n"

 set +e
-vncserver -select-de "${DESKTOP_ENVIRONMENT}" -disableBasicAuth > "$VNC_LOG" 2>&1
+kasmvncserver -select-de "${DESKTOP_ENVIRONMENT}" -disableBasicAuth > "$VNC_LOG" 2>&1
 RETVAL=$?
 set -e
Author	SHA1	Message	Date
Yevhenii Shcherbina	01f5100068	fix: drop perms for boundary process (#512 )	2025-10-24 21:23:42 -04:00
Yevhenii Shcherbina	7e42a145fa	feat: dropping perms before running claude (#509 ) Co-authored-by: DevCats <christofer@coder.com> Co-authored-by: Atif Ali <atif@coder.com>	2025-10-24 15:35:20 -05:00
Atif Ali	0ff3dbcc48	chore(claude-code): limit MCP tools for task reporting (#507 )	2025-10-24 23:14:34 +05:00
netsgnut	a327e79bc4	fix(kasmvnc): change installed check and bump default version (#505 ) ## Description This PR makes the following changes to the `coder/modules/kasmvnc`: - Change the installation check from checking `vncserver` to `kasmvncserver`. - Bump the default KasmVNC installation version to [1.4.0](https://docs.kasmvnc.com/docs/release_notes/1.4.0). In images where there is already TightVNC installed, the current installation check will erroneously report that KasmVNC is already installed. By checking `kasmvncserver` instead, it ensures KasmVNC is installed. Tested on Debian, Kali and Alpine-based images. ## Type of Change - [ ] New module - [ ] New template - [X] Bug fix - [ ] Feature/enhancement - [ ] Documentation - [ ] Other ## Module Information Path: `registry/coder/modules/kasmvnc` New version: `v1.2.5` Breaking change: [ ] Yes [X] No ## Testing & Validation - [X] Tests pass (`bun test`) - [X] Code formatted (`bun fmt`) - [X] Changes tested locally ## Related Issues None	2025-10-24 17:47:51 +00:00