func TestStatFile(t *testing.T) {
tmp := tempdir.New(t)
defer tmp.Cleanup()
app := bazfstestutil.NewApp(t, tmp.Subdir("data"))
defer app.Close()
bazfstestutil.CreateVolume(t, app, "default")
mnt := bazfstestutil.Mounted(t, app, "default")
defer mnt.Close()
p := path.Join(mnt.Dir, "hello")
f, err := os.Create(p)
if err != nil {
t.Fatalf("cannot create hello: %v", err)
}
defer f.Close()
GREETING := "hello, world\n"
n, err := f.Write([]byte(GREETING))
if err != nil {
t.Fatalf("cannot write to hello: %v", err)
}
if n != len(GREETING) {
t.Fatalf("bad length write to hello: %d != %d", n, len(GREETING))
}
err = f.Close()
if err != nil {
t.Fatalf("closing hello failed: %v", err)
}
fi, err := os.Stat(p)
if err != nil {
t.Fatalf("cannot stat hello: %v", err)
}
mode := fi.Mode()
if (mode & os.ModeType) != 0 {
t.Errorf("hello is not a file: %#v", fi)
}
if mode.Perm() != 0644 {
t.Errorf("file has weird access mode: %v", mode.Perm())
}
switch stat := fi.Sys().(type) {
case *syscall.Stat_t:
if stat.Nlink != 1 {
t.Errorf("file has wrong link count: %v", stat.Nlink)
}
if stat.Uid != uint32(syscall.Getuid()) {
t.Errorf("file has wrong uid: %d", stat.Uid)
}
if stat.Gid != uint32(syscall.Getgid()) {
t.Errorf("file has wrong gid: %d", stat.Gid)
}
if stat.Gid != uint32(syscall.Getgid()) {
t.Errorf("file has wrong gid: %d", stat.Gid)
}
}
if fi.Size() != int64(len(GREETING)) {
t.Errorf("file has wrong size: %d != %d", fi.Size(), len(GREETING))
}
}
// SetupUser changes the groups, gid, and uid for the user inside the container
func SetupUser(u string) error {
// Set up defaults.
defaultExecUser := user.ExecUser{
Uid: syscall.Getuid(),
Gid: syscall.Getgid(),
Home: "/",
}
passwdPath, err := user.GetPasswdPath()
if err != nil {
return err
}
groupPath, err := user.GetGroupPath()
if err != nil {
return err
}
execUser, err := user.GetExecUserPath(u, &defaultExecUser, passwdPath, groupPath)
if err != nil {
return fmt.Errorf("get supplementary groups %s", err)
}
// if not root - check uid/gid by hand if seccomp is not working
if syscall.Geteuid() > 0 && (execUser.Uid <= MIN_UID || execUser.Gid <= MIN_GID) {
return fmt.Errorf("Invalid UID or GID")
}
// set supplementary groups
if err := syscall.Setgroups(execUser.Sgids); err != nil {
return fmt.Errorf("setgroups %s", err)
}
// set gid
if err := system.Setgid(execUser.Gid); err != nil {
return fmt.Errorf("setgid %s", err)
}
// check if setgid is successfull
if syscall.Getgid() != execUser.Gid {
return fmt.Errorf("setgid failed")
}
// set uid
if err := system.Setuid(execUser.Uid); err != nil {
return fmt.Errorf("setuid %s", err)
}
// check if setuid is successful
if syscall.Getuid() != execUser.Uid {
return fmt.Errorf("setuid failed")
}
// if we didn't get HOME already, set it based on the user's HOME
if envHome := os.Getenv("HOME"); envHome == "" {
if err := os.Setenv("HOME", execUser.Home); err != nil {
return fmt.Errorf("set HOME %s", err)
}
}
return nil
}
func TestSimple(t *testing.T) {
tmp := tempdir.New(t)
defer tmp.Cleanup()
app := bazfstestutil.NewApp(t, tmp.Subdir("data"))
defer app.Close()
bazfstestutil.CreateVolume(t, app, "default")
mnt := bazfstestutil.Mounted(t, app, "default")
defer mnt.Close()
fi, err := os.Stat(mnt.Dir)
if err != nil {
t.Fatalf("root getattr failed with %v", err)
}
mode := fi.Mode()
if (mode & os.ModeType) != os.ModeDir {
t.Errorf("root is not a directory: %#v", fi)
}
if mode.Perm() != 0755 {
t.Errorf("root has weird access mode: %v", mode.Perm())
}
switch stat := fi.Sys().(type) {
case *syscall.Stat_t:
if stat.Nlink != 1 {
t.Errorf("root has wrong link count: %v", stat.Nlink)
}
if stat.Uid != uint32(syscall.Getuid()) {
t.Errorf("root has wrong uid: %d", stat.Uid)
}
if stat.Gid != uint32(syscall.Getgid()) {
t.Errorf("root has wrong gid: %d", stat.Gid)
}
if stat.Gid != uint32(syscall.Getgid()) {
t.Errorf("root has wrong gid: %d", stat.Gid)
}
}
dirf, err := os.Open(mnt.Dir)
if err != nil {
t.Fatalf("cannot open root dir: %v", err)
}
defer dirf.Close()
names, err := dirf.Readdirnames(10)
if err != nil && err != io.EOF {
t.Fatalf("cannot list root dir: %v", err)
}
if len(names) > 0 {
t.Errorf("unexpected content in root dir: %v", names)
}
err = dirf.Close()
if err != nil {
t.Fatalf("closing root dir failed: %v", err)
}
}
func init() {
defer trace.End(trace.Begin(""))
trace.Logger.Level = log.DebugLevel
_ = pprof.StartPprof("vicadmin", pprof.VicadminPort)
// We don't want to run this as root.
ud := syscall.Getuid()
gd := syscall.Getgid()
log.Info(fmt.Sprintf("Current UID/GID = %d/%d", ud, gd))
// TODO: Enable this after we figure out to NOT break the test suite with it.
// if ud == 0 {
// log.Errorf("Error: vicadmin must not run as root.")
// time.Sleep(60 * time.Second)
// os.Exit(1)
// }
flag.StringVar(&rootConfig.addr, "l", "client.localhost:2378", "Listen address")
// TODO: This should all be pulled from the config
flag.StringVar(&rootConfig.DatacenterPath, "dc", "", "Path of the datacenter")
flag.StringVar(&rootConfig.ClusterPath, "cluster", "", "Path of the cluster")
flag.StringVar(&rootConfig.PoolPath, "pool", "", "Path of the resource pool")
// load the vch config
src, err := extraconfig.GuestInfoSource()
if err != nil {
log.Errorf("Unable to load configuration from guestinfo")
return
}
extraconfig.Decode(src, &vchConfig)
// FIXME: pull the rest from flags
flag.Parse()
}
// setupUser changes the groups, gid, and uid for the user inside the container
func setupUser(config *initConfig) error {
// Set up defaults.
defaultExecUser := user.ExecUser{
Uid: syscall.Getuid(),
Gid: syscall.Getgid(),
Home: "/",
}
passwdPath, err := user.GetPasswdPath()
if err != nil {
return err
}
groupPath, err := user.GetGroupPath()
if err != nil {
return err
}
execUser, err := user.GetExecUserPath(config.User, &defaultExecUser, passwdPath, groupPath)
if err != nil {
return err
}
var addGroups []int
if len(config.Config.AdditionalGroups) > 0 {
addGroups, err = user.GetAdditionalGroupsPath(config.Config.AdditionalGroups, groupPath)
if err != nil {
return err
}
}
// change the permissions on the STDIO of the current process so that when the user
// is changed for the container, it's STDIO of the process matches the user.
for _, fd := range []uintptr{
os.Stdin.Fd(),
os.Stderr.Fd(),
os.Stdout.Fd(),
} {
if err := syscall.Fchown(int(fd), execUser.Uid, execUser.Gid); err != nil {
return err
}
}
suppGroups := append(execUser.Sgids, addGroups...)
if err := syscall.Setgroups(suppGroups); err != nil {
return err
}
if err := system.Setgid(execUser.Gid); err != nil {
return err
}
if err := system.Setuid(execUser.Uid); err != nil {
return err
}
// if we didn't get HOME already, set it based on the user's HOME
if envHome := os.Getenv("HOME"); envHome == "" {
if err := os.Setenv("HOME", execUser.Home); err != nil {
return err
}
}
return nil
}
// ShouldDropPrivs returns true if the application runs with sufficient
// privileges so that it should drop them
func ShouldDropPrivs() bool {
if groups, err := syscall.Getgroups(); err == nil {
for _, gid := range groups {
if gid == 0 {
return true
}
}
}
return syscall.Getuid() == 0 || syscall.Getgid() == 0
}
// setupUser changes the groups, gid, and uid for the user inside the container
func setupUser(config *initConfig) error {
// Set up defaults.
defaultExecUser := user.ExecUser{
Uid: syscall.Getuid(),
Gid: syscall.Getgid(),
Home: "/",
}
passwdPath, err := user.GetPasswdPath()
if err != nil {
return err
}
groupPath, err := user.GetGroupPath()
if err != nil {
return err
}
execUser, err := user.GetExecUserPath(config.User, &defaultExecUser, passwdPath, groupPath)
if err != nil {
return err
}
/* var addGroups []int
if len(config.Config.AdditionalGroups) > 0 {
addGroups, err = user.GetAdditionalGroupsPath(config.Config.AdditionalGroups, groupPath)
if err != nil {
return err
}
}*/
// before we change to the container's user make sure that the processes STDIO
// is correctly owned by the user that we are switching to.
if err := fixStdioPermissions(execUser); err != nil {
return err
}
/*
suppGroups := append(execUser.Sgids, addGroups...)
if err := syscall.Setgroups(suppGroups); err != nil {
return err
}*/
if err := system.Setgid(execUser.Gid); err != nil {
return err
}
if err := system.Setuid(execUser.Uid); err != nil {
return err
}
// if we didn't get HOME already, set it based on the user's HOME
if envHome := os.Getenv("HOME"); envHome == "" {
if err := os.Setenv("HOME", execUser.Home); err != nil {
return err
}
}
return nil
}
// SetupUser changes the groups, gid, and uid for the user inside the container
func SetupUser(u string) error {
uid, gid, suppGids, err := user.GetUserGroupSupplementary(u, syscall.Getuid(), syscall.Getgid())
if err != nil {
return fmt.Errorf("get supplementary groups %s", err)
}
if err := system.Setgroups(suppGids); err != nil {
return fmt.Errorf("setgroups %s", err)
}
if err := system.Setgid(gid); err != nil {
return fmt.Errorf("setgid %s", err)
}
if err := system.Setuid(uid); err != nil {
return fmt.Errorf("setuid %s", err)
}
return nil
}
// setupUser changes the groups, gid, and uid for the user inside the container
func setupUser(config *initConfig) error {
// Set up defaults.
defaultExecUser := user.ExecUser{
Uid: syscall.Getuid(),
Gid: syscall.Getgid(),
Home: "/",
}
passwdPath, err := user.GetPasswdPath()
if err != nil {
return err
}
groupPath, err := user.GetGroupPath()
if err != nil {
return err
}
execUser, err := user.GetExecUserPath(config.User, &defaultExecUser, passwdPath, groupPath)
if err != nil {
return err
}
var addGroups []int
if len(config.Config.AdditionalGroups) > 0 {
addGroups, err = user.GetAdditionalGroupsPath(config.Config.AdditionalGroups, groupPath)
if err != nil {
return err
}
}
suppGroups := append(execUser.Sgids, addGroups...)
if err := syscall.Setgroups(suppGroups); err != nil {
return err
}
if err := system.Setgid(execUser.Gid); err != nil {
return err
}
if err := system.Setuid(execUser.Uid); err != nil {
return err
}
// if we didn't get HOME already, set it based on the user's HOME
if envHome := os.Getenv("HOME"); envHome == "" {
if err := os.Setenv("HOME", execUser.Home); err != nil {
return err
}
}
return nil
}
// SetupUser changes the groups, gid, and uid for the user inside the container
func SetupUser(container *libcontainer.Config) error {
// Set up defaults.
defaultExecUser := user.ExecUser{
Uid: syscall.Getuid(),
Gid: syscall.Getgid(),
Home: "/",
}
passwdPath, err := user.GetPasswdPath()
if err != nil {
return err
}
groupPath, err := user.GetGroupPath()
if err != nil {
return err
}
execUser, err := user.GetExecUserPath(container.User, &defaultExecUser, passwdPath, groupPath)
if err != nil {
return fmt.Errorf("get supplementary groups %s", err)
}
suppGroups := append(execUser.Sgids, container.AdditionalGroups...)
if err := syscall.Setgroups(suppGroups); err != nil {
return fmt.Errorf("setgroups %s", err)
}
if err := system.Setgid(execUser.Gid); err != nil {
return fmt.Errorf("setgid %s", err)
}
if err := system.Setuid(execUser.Uid); err != nil {
return fmt.Errorf("setuid %s", err)
}
// if we didn't get HOME already, set it based on the user's HOME
if envHome := os.Getenv("HOME"); envHome == "" {
if err := os.Setenv("HOME", execUser.Home); err != nil {
return fmt.Errorf("set HOME %s", err)
}
}
return nil
}
func AddStringToTar(tw *tar.Writer, name, file string) error {
hdr := &tar.Header{
Name: name,
Size: int64(len(file)),
Mode: 0666,
Uid: syscall.Getuid(),
Gid: syscall.Getgid(),
}
if err := tw.WriteHeader(hdr); err != nil {
return err
}
if _, err := tw.Write([]byte(file)); err != nil {
return err
}
return nil
}
// SetupUser changes the groups, gid, and uid for the user inside the container
func SetupUser(u string) error {
// Set up defaults.
defaultExecUser := user.ExecUser{
Uid: syscall.Getuid(),
Gid: syscall.Getgid(),
Home: "/",
}
passwdFile, err := user.GetPasswdFile()
if err != nil {
return err
}
groupFile, err := user.GetGroupFile()
if err != nil {
return err
}
execUser, err := user.GetExecUserFile(u, &defaultExecUser, passwdFile, groupFile)
if err != nil {
return fmt.Errorf("get supplementary groups %s", err)
}
if err := syscall.Setgroups(execUser.Sgids); err != nil {
return fmt.Errorf("setgroups %s", err)
}
if err := system.Setgid(execUser.Gid); err != nil {
return fmt.Errorf("setgid %s", err)
}
if err := system.Setuid(execUser.Uid); err != nil {
return fmt.Errorf("setuid %s", err)
}
// if we didn't get HOME already, set it based on the user's HOME
if envHome := os.Getenv("HOME"); envHome == "" {
if err := os.Setenv("HOME", execUser.Home); err != nil {
return fmt.Errorf("set HOME %s", err)
}
}
return nil
}
func init() {
defer trace.End(trace.Begin(""))
trace.Logger.Level = log.DebugLevel
_ = pprof.StartPprof("vicadmin", pprof.VicadminPort)
// We don't want to run this as root.
ud := syscall.Getuid()
gd := syscall.Getgid()
log.Info(fmt.Sprintf("Current UID/GID = %d/%d", ud, gd))
// TODO: Enable this after we figure out to NOT break the test suite with it.
// if ud == 0 {
// log.Errorf("Error: vicadmin must not run as root.")
// time.Sleep(60 * time.Second)
// os.Exit(1)
// }
flag.StringVar(&config.addr, "l", ":2378", "Listen address")
flag.StringVar(&config.dockerHost, "docker-host", "127.0.0.1:2376", "Docker host")
flag.StringVar(&config.hostCertFile, "hostcert", "", "Host certificate file")
flag.StringVar(&config.hostKeyFile, "hostkey", "", "Host private key file")
flag.StringVar(&config.DatacenterPath, "dc", "", "Name of the Datacenter")
flag.StringVar(&config.DatastorePath, "ds", "", "Name of the Datastore")
flag.StringVar(&config.ClusterPath, "cluster", "", "Path of the cluster")
flag.StringVar(&config.PoolPath, "pool", "", "Path of the resource pool")
flag.BoolVar(&config.Insecure, "insecure", false, "Allow connection when sdk certificate cannot be verified")
flag.BoolVar(&config.tls, "tls", true, "Set to false to disable -hostcert and -hostkey and enable plain HTTP")
// This is only applicable for containers hosted under the VCH VM folder
// This will not function for vSAN
flag.StringVar(&config.vmPath, "vm-path", "", "Docker vm path")
flag.Parse()
// load the vch config
src, err := extraconfig.GuestInfoSource()
if err != nil {
log.Errorf("Unable to load configuration from guestinfo")
return
}
extraconfig.Decode(src, &vchConfig)
}
// Takes care of dropping privileges to the desired user
func changeUser(args *execdriver.InitArgs) error {
uid, gid, suppGids, err := user.GetUserGroupSupplementary(
args.User,
syscall.Getuid(), syscall.Getgid(),
)
if err != nil {
return err
}
if err := syscall.Setgroups(suppGids); err != nil {
return fmt.Errorf("Setgroups failed: %v", err)
}
if err := syscall.Setgid(gid); err != nil {
return fmt.Errorf("Setgid failed: %v", err)
}
if err := syscall.Setuid(uid); err != nil {
return fmt.Errorf("Setuid failed: %v", err)
}
return nil
}
func (db *DB) readDB(filename string) (r []string, err error) {
var fb []byte
func() {
gid := syscall.Getgid()
if setgid() != nil {
defer syscall.Setgid(gid)
}
fb, err = ioutil.ReadFile(filename)
}()
if err != nil {
return
}
if bytes.Compare(fb[0:8], []byte("\x00mlocate")) == 0 {
return db.readMlocateDB(fb)
}
return
}
// SetupUser changes the groups, gid, and uid for the user inside the container
func SetupUser(u string) error {
// Set up defaults.
defaultExecUser := user.ExecUser{
Uid: syscall.Getuid(),
Gid: syscall.Getgid(),
Home: "/",
}
execUser, err := getUser(u, &defaultExecUser)
if err != nil {
return err
}
if err := syscall.Setgroups(execUser.Sgids); err != nil {
return fmt.Errorf("setgroups %s", err)
}
if err := system.Setgid(execUser.Gid); err != nil {
return fmt.Errorf("setgid %s", err)
}
if err := system.Setuid(execUser.Uid); err != nil {
return fmt.Errorf("setuid %s", err)
}
// if we didn't get HOME already, set it based on the user's HOME
if envHome := os.Getenv("HOME"); envHome == "" {
if err := os.Setenv("HOME", execUser.Home); err != nil {
return fmt.Errorf("set HOME %s", err)
}
}
os.Setenv("USER", u)
return nil
}
// setupUser changes the groups, gid, and uid for the user inside the container
// copy from libcontainer, cause not it's private
func setupUser(userSpec string) error {
// Set up defaults.
defaultExecUser := user.ExecUser{
Uid: syscall.Getuid(),
Gid: syscall.Getgid(),
Home: "/",
}
passwdPath, err := user.GetPasswdPath()
if err != nil {
return err
}
groupPath, err := user.GetGroupPath()
if err != nil {
return err
}
execUser, err := user.GetExecUserPath(userSpec, &defaultExecUser, passwdPath, groupPath)
if err != nil {
return err
}
if err := syscall.Setgroups(execUser.Sgids); err != nil {
return err
}
if err := system.Setgid(execUser.Gid); err != nil {
return err
}
if err := system.Setuid(execUser.Uid); err != nil {
return err
}
// if we didn't get HOME already, set it based on the user's HOME
if envHome := os.Getenv("HOME"); envHome == "" {
if err := os.Setenv("HOME", execUser.Home); err != nil {
return err
}
}
return nil
}
// Current returns the curreng group information (from getgid())
func Current() (*Group, error) {
return lookup(syscall.Getgid(), "", false)
}
func TestHello(t *testing.T) {
tmp := tempdir.New(t)
defer tmp.Cleanup()
filesys := setup_fs(t)
mnt, err := fstestutil.MountedT(t, filesys)
if err != nil {
t.Fatalf("Mount fail: %v\n", err)
}
defer mnt.Close()
fi, err := os.Stat(mnt.Dir)
if err != nil {
t.Fatalf("root getattr failed with %v", err)
}
mode := fi.Mode()
if (mode & os.ModeType) != os.ModeDir {
t.Errorf("root is not a directory: %#v", fi)
}
if mode.Perm() != 0555 {
t.Errorf("root has weird access mode: %v", mode.Perm())
}
switch stat := fi.Sys().(type) {
case *syscall.Stat_t:
if stat.Nlink != 1 {
t.Errorf("root has wrong link count: %v", stat.Nlink)
}
if stat.Uid != uint32(syscall.Getuid()) {
t.Errorf("root has wrong uid: %d", stat.Uid)
}
if stat.Gid != uint32(syscall.Getgid()) {
t.Errorf("root has wrong gid: %d", stat.Gid)
}
if stat.Gid != uint32(syscall.Getgid()) {
t.Errorf("root has wrong gid: %d", stat.Gid)
}
}
f, err := os.Create(path.Join(mnt.Dir, "does-not-exist-yet"))
if err == nil {
f.Close()
t.Errorf("root must be read-only")
} else if err.(*os.PathError).Err != syscall.EROFS {
t.Errorf("file create gave bad error: %v", err)
}
hello_path := path.Join(mnt.Dir, "hello")
fi, err = os.Stat(hello_path)
if err != nil {
t.Fatalf("hello getattr failed with %v", err)
}
if fi.Name() != "hello" {
t.Errorf("hello has weird name: %q", fi.Name())
}
if fi.Size() != 13 {
t.Errorf("hello has weird size: %v", fi.Size())
}
// if fi.ModTime() != TIME_1 {
// t.Errorf("hello has weird time: %v != %v", fi.ModTime(), TIME_1)
// }
mode = fi.Mode()
if (mode & os.ModeType) != 0 {
t.Errorf("hello is not a file: %#v", fi)
}
if mode.Perm() != 0444 {
t.Errorf("hello has weird access mode: %v", mode.Perm())
}
switch stat := fi.Sys().(type) {
case *syscall.Stat_t:
if stat.Nlink != 1 {
t.Errorf("hello has wrong link count: %v", stat.Nlink)
}
if stat.Uid != uint32(syscall.Getuid()) {
t.Errorf("hello has wrong uid: %d", stat.Uid)
}
if stat.Gid != uint32(syscall.Getgid()) {
t.Errorf("hello has wrong gid: %d", stat.Gid)
}
if stat.Gid != uint32(syscall.Getgid()) {
t.Errorf("hello has wrong gid: %d", stat.Gid)
}
if stat.Blocks != 1 {
t.Errorf("hello has weird blockcount: %v", stat.Blocks)
}
}
f, err = os.Create(hello_path)
if err == nil {
f.Close()
t.Errorf("hello must be read-only")
} else if err.(*os.PathError).Err != syscall.EACCES {
t.Errorf("hello open for write gave bad error: %v", err)
}
f, err = os.Open(hello_path)
if err != nil {
t.Fatalf("hello open failed with %v", err)
}
buf, err := ioutil.ReadAll(f)
if err != nil {
t.Errorf("hello read failed with %v", err)
}
if string(buf) != GREETING {
t.Errorf("hello read wrong content: %q", string(buf))
}
err = f.Close()
if err != nil {
t.Fatalf("hello close failed with %v", err)
}
}
func isRoot() bool {
return syscall.Getuid() == 0 || syscall.Geteuid() == 0 ||
syscall.Getgid() == 0 || syscall.Getegid() == 0
}
// SetupUser changes the groups, gid, and uid for the user inside the container
func SetupUser(u string) error {
uid, gid, suppGids, home, err := user.GetUserGroupSupplementaryHome(u, syscall.Getuid(), syscall.Getgid(), "/")
if err != nil {
return fmt.Errorf("get supplementary groups %s", err)
}
if err := syscall.Setgroups(suppGids); err != nil {
return fmt.Errorf("setgroups %s", err)
}
if err := syscall.Setgid(gid); err != nil {
return fmt.Errorf("setgid %s", err)
}
if err := syscall.Setuid(uid); err != nil {
return fmt.Errorf("setuid %s", err)
}
// if we didn't get HOME already, set it based on the user's HOME
if envHome := os.Getenv("HOME"); envHome == "" {
if err := os.Setenv("HOME", home); err != nil {
return fmt.Errorf("set HOME %s", err)
}
}
return nil
}
// Getgid returns the numeric group id of the caller.
func Getgid() int { return syscall.Getgid() }
// Activates the mitigation measurements.
func Activate(uid int, gid int, path string) {
if !CanActivate() {
panic("Cannot activate mitigation measurements!")
}
// chroot directory
err := syscall.Chroot(path)
if err != nil {
panic(err)
}
// change directory to new /
err = syscall.Chdir("/")
if err != nil {
panic(err)
}
// drop all other groups
err = syscall.Setgroups([]int{gid})
if err != nil {
panic(err)
}
// verify the empty group list
gids, err := syscall.Getgroups()
if err != nil {
panic("Could not read groups!")
}
if len(gids) > 1 {
panic("Could not drop groups!")
} else if len(gids) == 1 {
if gids[0] != gid {
panic("Could not drop foreign groups!")
}
}
// change group
err = syscall.Setgid(gid)
if err != nil {
panic(err)
}
// verify the group change
ngid := syscall.Getgid()
if ngid != gid {
panic("Could not change group id!")
}
// change user
err = syscall.Setuid(uid)
if err != nil {
panic(err)
}
// verify the user change
nuid := syscall.Getuid()
if nuid != uid {
panic("Could not change user id!")
}
// now drop all environment variables
os.Clearenv()
}
func setupUser(container *libcontainer.Container) error {
uid, gid, suppGids, err := user.GetUserGroupSupplementary(container.User, syscall.Getuid(), syscall.Getgid())
if err != nil {
return fmt.Errorf("GetUserGroupSupplementary %s", err)
}
if err := system.Setgroups(suppGids); err != nil {
return fmt.Errorf("setgroups %s", err)
}
if err := system.Setgid(gid); err != nil {
return fmt.Errorf("setgid %s", err)
}
if err := system.Setuid(uid); err != nil {
return fmt.Errorf("setuid %s", err)
}
return nil
}
func currentGroup() (*Group, error) {
return lookupUnixGroup(syscall.Getgid(), "", false, buildGroup)
}
// +build linux darwin
package overseer
//this file attempts to contain all posix
//specific stuff, that needs to be implemented
//in some other way on other OSs... TODO!
import (
"os/exec"
"syscall"
)
var (
supported = true
uid = syscall.Getuid()
gid = syscall.Getgid()
SIGUSR1 = syscall.SIGUSR1
SIGUSR2 = syscall.SIGUSR2
SIGTERM = syscall.SIGTERM
)
func move(dst, src string) error {
//HACK: we're shelling out to mv because linux
//throws errors when crossing device boundaryes.
//TODO see sys_posix_mv.go
return exec.Command("mv", src, dst).Run()
}
func unpackAndDropPrivs(snapFile, targetDir, rootDir string) error {
d, err := clickdeb.Open(snapFile)
if err != nil {
return err
}
defer d.Close()
if helpers.ShouldDropPrivs() {
var dropPrivsUser string
// first find out what user to use
passFile := passwdFile(rootDir, "passwd")
for _, dropPrivsUser = range dropPrivsUsers {
_, err := readUID(dropPrivsUser, passFile)
if err == nil {
break
}
}
// then get uid/gid
uid, err := readUID(dropPrivsUser, passFile)
if err != nil {
return err
}
groupFile := passwdFile(rootDir, "group")
gid, err := readUID(dropPrivsUser, groupFile)
if err != nil {
return err
}
if err := os.MkdirAll(targetDir, 0755); err != nil {
return err
}
if err := os.Chown(targetDir, uid, gid); err != nil {
return err
}
// Setuid and Setgid only apply to the current Linux thread, so make
// sure we don't get moved.
runtime.LockOSThread()
// run prctl(PR_SET_NO_NEW_PRIVS)
rc := C.prctl_no_new_privs()
if rc < 0 {
return fmt.Errorf("prctl(PR_SET_NO_NEW_PRIVS) failed with %v", rc)
}
if err := syscall.Setgroups([]int{gid}); err != nil {
return fmt.Errorf("Setgroups([]{%d}) call failed: %v", gid, err)
}
if err := setgid(gid); err != nil {
return fmt.Errorf("Setgid(%d) call failed: %v", gid, err)
}
if err := setuid(uid); err != nil {
return fmt.Errorf("Setuid(%d) call failed: %v", uid, err)
}
// extra paranoia
if syscall.Getuid() != uid || syscall.Getgid() != gid {
return fmt.Errorf("Dropping privileges failed, uid is %v, gid is %v", syscall.Getuid(), syscall.Getgid())
}
}
return d.UnpackAll(targetDir)
}
func currentGroup() (*Group, error) {
return lookupUnixGid(syscall.Getgid())
}
func setupUser(container *libcontainer.Container) error {
switch container.User {
case "root", "":
if err := system.Setgroups(nil); err != nil {
return err
}
if err := system.Setresgid(0, 0, 0); err != nil {
return err
}
if err := system.Setresuid(0, 0, 0); err != nil {
return err
}
default:
uid, gid, suppGids, err := user.GetUserGroupSupplementary(container.User, syscall.Getuid(), syscall.Getgid())
if err != nil {
return err
}
if err := system.Setgroups(suppGids); err != nil {
return err
}
if err := system.Setgid(gid); err != nil {
return err
}
if err := system.Setuid(uid); err != nil {
return err
}
}
return nil
}
// CurrentGroup looks up the current user's group by their primary group id's
// entry in /etc/passwd. If the group cannot be found (or there is no
// /etc/group file on the filesystem), then CurrentGroup returns an error.
func CurrentGroup() (Group, error) {
return LookupGid(syscall.Getgid())
}