aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAvatar Ciaran McCreesh <ciaran.mccreesh@googlemail.com> 2007-02-24 22:26:43 +0000
committerAvatar Ciaran McCreesh <ciaran.mccreesh@googlemail.com> 2007-02-24 22:26:43 +0000
commit0cf1a3b54530df471ff340a64bcc888cc2de58c9 (patch)
tree06585a9ae065c4cf0ef25035a07370b566f47bcd
parentd339b598dfa6b8b61257cbe8c778aa5a8f26bb9c (diff)
downloadpaludis-0cf1a3b54530df471ff340a64bcc888cc2de58c9.tar.gz
paludis-0cf1a3b54530df471ff340a64bcc888cc2de58c9.tar.xz
Initial highly crude userpriv support
-rw-r--r--paludis/environment.cc12
-rw-r--r--paludis/environment.hh18
-rw-r--r--paludis/environment/default/default_config.cc49
-rw-r--r--paludis/environment/default/default_config.hh9
-rw-r--r--paludis/environment/default/default_environment.cc20
-rw-r--r--paludis/environment/default/default_environment.hh3
-rw-r--r--paludis/repositories/gentoo/ebuild.cc10
-rw-r--r--paludis/util/pstream.cc4
-rw-r--r--paludis/util/system.cc4
9 files changed, 122 insertions, 7 deletions
diff --git a/paludis/environment.cc b/paludis/environment.cc
index 9b31530..9bd7c05 100644
--- a/paludis/environment.cc
+++ b/paludis/environment.cc
@@ -617,6 +617,18 @@ Environment::default_destinations() const
return result;
}
+uid_t
+Environment::reduced_uid() const
+{
+ return getuid();
+}
+
+gid_t
+Environment::reduced_gid() const
+{
+ return getgid();
+}
+
Environment::WorldCallbacks::WorldCallbacks()
{
}
diff --git a/paludis/environment.hh b/paludis/environment.hh
index 4884a0b..0e23ebc 100644
--- a/paludis/environment.hh
+++ b/paludis/environment.hh
@@ -385,6 +385,24 @@ namespace paludis
*/
virtual std::tr1::shared_ptr<const DestinationsCollection> default_destinations() const
PALUDIS_ATTRIBUTE((warn_unused_result));
+
+ /**
+ * uid to use for operations that don't reqiure root privs.
+ *
+ * Should return the current uid unless we are root. Default: always return
+ * the current uid.
+ */
+ virtual uid_t reduced_uid() const
+ PALUDIS_ATTRIBUTE((warn_unused_result));
+
+ /**
+ * gid to use for operations that don't reqiure root privs.
+ *
+ * Should return the current gid unless we are root. Default: always return
+ * the current gid.
+ */
+ virtual gid_t reduced_gid() const
+ PALUDIS_ATTRIBUTE((warn_unused_result));
};
}
diff --git a/paludis/environment/default/default_config.cc b/paludis/environment/default/default_config.cc
index b955a5b..cdba2cc 100644
--- a/paludis/environment/default/default_config.cc
+++ b/paludis/environment/default/default_config.cc
@@ -40,6 +40,8 @@
#include <map>
#include <ctype.h>
+#include <sys/types.h>
+#include <pwd.h>
/** \file
* Implementation of default_config.hh classes.
@@ -121,6 +123,9 @@ namespace paludis
std::vector<UseConfigEntry> forced_use_config;
+ mutable std::tr1::shared_ptr<uid_t> reduced_uid;
+ mutable std::tr1::shared_ptr<gid_t> reduced_gid;
+
Implementation();
void need_sets_expanded() const;
@@ -1062,3 +1067,47 @@ DefaultConfig::end_user_unmasks_sets() const
return UserMasksSetsIterator(_imp->set_unmasks.end());
}
+uid_t
+DefaultConfig::reduced_uid() const
+{
+ if (! _imp->reduced_uid)
+ {
+ struct passwd * p(getpwnam(reduced_username().c_str()));
+ if (! p)
+ {
+ Log::get_instance()->message(ll_warning, lc_no_context,
+ "Couldn't determine uid for user '" + reduced_username() + "'");
+ _imp->reduced_uid.reset(new uid_t(getuid()));
+ }
+ else
+ _imp->reduced_uid.reset(new uid_t(p->pw_uid));
+ }
+
+ return *_imp->reduced_uid;
+}
+
+gid_t
+DefaultConfig::reduced_gid() const
+{
+ if (! _imp->reduced_gid)
+ {
+ struct passwd * p(getpwnam(reduced_username().c_str()));
+ if (! p)
+ {
+ Log::get_instance()->message(ll_warning, lc_no_context,
+ "Couldn't determine gid for user '" + reduced_username() + "'");
+ _imp->reduced_gid.reset(new gid_t(getgid()));
+ }
+ else
+ _imp->reduced_gid.reset(new gid_t(p->pw_gid));
+ }
+
+ return *_imp->reduced_gid;
+}
+
+std::string
+DefaultConfig::reduced_username() const
+{
+ return "paludisbuild";
+}
+
diff --git a/paludis/environment/default/default_config.hh b/paludis/environment/default/default_config.hh
index eb3fe08..3503e0b 100644
--- a/paludis/environment/default/default_config.hh
+++ b/paludis/environment/default/default_config.hh
@@ -254,6 +254,15 @@ namespace paludis
*/
std::string root() const;
+ ///\name Userpriv
+ ///\{
+
+ uid_t reduced_uid() const;
+ gid_t reduced_gid() const;
+ std::string reduced_username() const;
+
+ ///\}
+
/**
* The config directory.
*/
diff --git a/paludis/environment/default/default_environment.cc b/paludis/environment/default/default_environment.cc
index 5fbaf7a..379ee48 100644
--- a/paludis/environment/default/default_environment.cc
+++ b/paludis/environment/default/default_environment.cc
@@ -789,3 +789,23 @@ DefaultEnvironment::root() const
return DefaultConfig::get_instance()->root();
}
+uid_t
+DefaultEnvironment::reduced_uid() const
+{
+ uid_t u(getuid());
+ if (0 == u)
+ return DefaultConfig::get_instance()->reduced_uid();
+ else
+ return u;
+}
+
+gid_t
+DefaultEnvironment::reduced_gid() const
+{
+ gid_t g(getgid());
+ if (0 == g)
+ return DefaultConfig::get_instance()->reduced_gid();
+ else
+ return g;
+}
+
diff --git a/paludis/environment/default/default_environment.hh b/paludis/environment/default/default_environment.hh
index fab2bee..f8650db 100644
--- a/paludis/environment/default/default_environment.hh
+++ b/paludis/environment/default/default_environment.hh
@@ -86,6 +86,9 @@ namespace paludis
virtual MirrorIterator end_mirrors(const std::string & mirror) const;
virtual FSEntry root() const;
+
+ virtual uid_t reduced_uid() const;
+ virtual gid_t reduced_gid() const;
};
}
#endif
diff --git a/paludis/repositories/gentoo/ebuild.cc b/paludis/repositories/gentoo/ebuild.cc
index cab971b..14b0741 100644
--- a/paludis/repositories/gentoo/ebuild.cc
+++ b/paludis/repositories/gentoo/ebuild.cc
@@ -167,7 +167,8 @@ EbuildMetadataCommand::failure()
Command
EbuildMetadataCommand::extend_command(const Command & cmd)
{
- return cmd;
+ return Command(cmd)
+ .with_uid_gid(params.environment->reduced_uid(), params.environment->reduced_gid());
}
bool
@@ -240,7 +241,9 @@ EbuildVariableCommand::failure()
Command
EbuildVariableCommand::extend_command(const Command & cmd)
{
- return Command(cmd).with_setenv("PALUDIS_VARIABLE", _var);
+ return Command(cmd)
+ .with_setenv("PALUDIS_VARIABLE", _var)
+ .with_uid_gid(params.environment->reduced_uid(), params.environment->reduced_gid());
}
bool
@@ -283,7 +286,8 @@ EbuildFetchCommand::extend_command(const Command & cmd)
.with_setenv("PALUDIS_USE_SAFE_RESUME", fetch_params.safe_resume ? "oohyesplease" : "")
.with_setenv("PALUDIS_PROFILE_DIR", stringify(*fetch_params.profiles->begin()))
.with_setenv("PALUDIS_PROFILE_DIRS", join(fetch_params.profiles->begin(),
- fetch_params.profiles->end(), " ")));
+ fetch_params.profiles->end(), " "))
+ .with_uid_gid(params.environment->reduced_uid(), params.environment->reduced_gid()));
for (AssociativeCollection<std::string, std::string>::Iterator
i(fetch_params.expand_vars->begin()),
diff --git a/paludis/util/pstream.cc b/paludis/util/pstream.cc
index 63a725c..9000542 100644
--- a/paludis/util/pstream.cc
+++ b/paludis/util/pstream.cc
@@ -102,7 +102,7 @@ PStreamInBuf::PStreamInBuf(const Command & cmd) :
close(PStream::stderr_close_fd);
}
- if (cmd.gid())
+ if (cmd.gid() && *cmd.gid() != getgid())
{
gid_t g(*cmd.gid());
@@ -116,7 +116,7 @@ PStreamInBuf::PStreamInBuf(const Command & cmd) :
extras.append(" [setgid " + stringify(*cmd.gid()) + "]");
}
- if (cmd.uid())
+ if (cmd.uid() && *cmd.uid() != getuid())
{
if (0 != ::setuid(*cmd.uid()))
Log::get_instance()->message(ll_warning, lc_context, "setuid("
diff --git a/paludis/util/system.cc b/paludis/util/system.cc
index 8abc769..8223d3e 100644
--- a/paludis/util/system.cc
+++ b/paludis/util/system.cc
@@ -286,7 +286,7 @@ paludis::run_command(const Command & cmd)
close(stderr_close_fd);
}
- if (cmd.gid())
+ if (cmd.gid() && *cmd.gid() != getgid())
{
gid_t g(*cmd.gid());
@@ -300,7 +300,7 @@ paludis::run_command(const Command & cmd)
extras.append(" [setgid " + stringify(*cmd.gid()) + "]");
}
- if (cmd.uid())
+ if (cmd.uid() && *cmd.uid() != getuid())
{
if (0 != ::setuid(*cmd.uid()))
Log::get_instance()->message(ll_warning, lc_context, "setuid("