Problem
When Open WebUI configures a system-level Open Terminal connection (Admin → Integrations → Open Terminal), all users share the same execution context: same OS user (user), same home directory, same process namespace. There is no isolation between users.
The officially suggested solution (open-webui/terminals) solves this by provisioning one container per user. For many deployments, this is overkill: it requires the Docker socket to be mounted (full host access), an Enterprise License, and significant orchestration overhead.
Proposed Solution
A lighter alternative: per-user OS users inside a single container, with standard Unix permissions providing the isolation.
Flow:
- OWUI sends the user's session token with each proxied request (already possible via the "Session" auth mode in Admin panel)
- Open Terminal validates the token against OWUI's API (
GET {OWUI_URL}/api/v1/auths/)
- On first access, create an OS user:
useradd -m <username>
- Execute all commands as that user:
sudo -u <username> bash -c "<cmd>"
With chmod 700 on /home/<username>, Linux handles the rest:
alice$ cat /home/bob/secret.txt
→ Permission denied ← OS-enforced, no custom sandbox needed
Why this works without a sandbox: Standard Unix file permissions — each user owns their home directory. No path-restriction logic needed in the server.
Implementation Notes
- Estimated change: ~100–150 lines of Python in the existing FastAPI server
user already has passwordless sudo → executing as other users is a one-line change- Opt-in via new env vars:
OPEN_TERMINAL_OWUI_URL, OPEN_TERMINAL_USER_ISOLATION=true
- Existing single-user deployments are unaffected
- Prior art for session validation:
open-webui/terminals does this via TERMINALS_OPEN_WEBUI_URL
Compared to open-webui/terminals
|
This proposal |
open-webui/terminals |
| Containers per user |
1 shared |
1 per user |
| Docker socket required |
No |
Yes |
| License |
MIT (unchanged) |
Enterprise |
| Production-ready |
✅ (small patch) |
⚠️ Alpha |
| Isolation level |
Linux permissions |
Full container |
For teams of trusted colleagues, Linux permission isolation is sufficient and significantly simpler to operate.
Problem
When Open WebUI configures a system-level Open Terminal connection (Admin → Integrations → Open Terminal), all users share the same execution context: same OS user (
user), same home directory, same process namespace. There is no isolation between users.The officially suggested solution (
open-webui/terminals) solves this by provisioning one container per user. For many deployments, this is overkill: it requires the Docker socket to be mounted (full host access), an Enterprise License, and significant orchestration overhead.Proposed Solution
A lighter alternative: per-user OS users inside a single container, with standard Unix permissions providing the isolation.
Flow:
GET {OWUI_URL}/api/v1/auths/)useradd -m <username>sudo -u <username> bash -c "<cmd>"With
chmod 700on/home/<username>, Linux handles the rest:Why this works without a sandbox: Standard Unix file permissions — each user owns their home directory. No path-restriction logic needed in the server.
Implementation Notes
useralready has passwordlesssudo→ executing as other users is a one-line changeOPEN_TERMINAL_OWUI_URL,OPEN_TERMINAL_USER_ISOLATION=trueopen-webui/terminalsdoes this viaTERMINALS_OPEN_WEBUI_URLCompared to
open-webui/terminalsopen-webui/terminalsFor teams of trusted colleagues, Linux permission isolation is sufficient and significantly simpler to operate.