Beispiel #1
0
func TestRuleAddAndLoad(t *testing.T) {
	// Test #1: Add a trivial filter
	filter1, err := NewFilter(ActAllow)
	if err != nil {
		t.Errorf("Error creating filter: %s", err)
	}
	defer filter1.Release()

	call, err := GetSyscallFromName("getpid")
	if err != nil {
		t.Errorf("Error getting syscall number of getpid: %s", err)
	}

	call2, err := GetSyscallFromName("setreuid")
	if err != nil {
		t.Errorf("Error getting syscall number of setreuid: %s", err)
	}

	uid := syscall.Getuid()
	euid := syscall.Geteuid()

	err = filter1.AddRule(call, ActErrno.SetReturnCode(0x1))
	if err != nil {
		t.Errorf("Error adding rule to restrict syscall: %s", err)
	}

	cond, err := MakeCondition(1, CompareEqual, uint64(euid))
	if err != nil {
		t.Errorf("Error making rule to restrict syscall: %s", err)
	}

	cond2, err := MakeCondition(0, CompareEqual, uint64(uid))
	if err != nil {
		t.Errorf("Error making rule to restrict syscall: %s", err)
	}

	conditions := []ScmpCondition{cond, cond2}

	err = filter1.AddRuleConditional(call2, ActErrno.SetReturnCode(0x2), conditions)
	if err != nil {
		t.Errorf("Error adding conditional rule: %s", err)
	}

	err = filter1.Load()
	if err != nil {
		t.Errorf("Error loading filter: %s", err)
	}

	// Try making a simple syscall, it should error
	pid := syscall.Getpid()
	if pid != -1 {
		t.Errorf("Syscall should have returned error code!")
	}

	// Try making a Geteuid syscall that should normally succeed
	err = syscall.Setreuid(uid, euid)
	if err != syscall.Errno(2) {
		t.Errorf("Syscall should have returned error code!")
	}
}
Beispiel #2
0
func setuid(username string) {
	usr, err := user.Lookup(username)
	checkFatal(err)
	uid, err := strconv.Atoi(usr.Uid)
	checkFatal(err)
	err = syscall.Setreuid(uid, uid)
	checkFatal(err)
}
Beispiel #3
0
// Change effective run permissions to settings.AdminUID
func AdminOn() error {
	origUID = syscall.Geteuid()
	// note that Setuid equiv seems buggy, Setreuid is solid currently
	if err := syscall.Setreuid(s.AdminUID, s.AdminUID); err != nil {
		return err
	}
	return nil
}
Beispiel #4
0
func setUserId() {
	userName := beego.AppConfig.String("user")
	u, err := user.Lookup(userName)
	if err != nil {
		fmt.Println("user config:", err)
		return
	}

	gid, _ := strconv.ParseInt(u.Gid, 0, 0)
	uid, _ := strconv.ParseInt(u.Uid, 0, 0)
	if err := syscall.Setregid(int(gid), int(gid)); err != nil {
		fmt.Println("setregid:", err)
	}
	if err := syscall.Setreuid(int(uid), int(uid)); err != nil {
		fmt.Println("setreuid:", err)
	}
}
Beispiel #5
0
// darwin doesn't seem to have saved UIDs, so use setreuid
func setresuid(ruid, euid, suid int) error {
	return syscall.Setreuid(ruid, euid)
}
Beispiel #6
0
func main() {
	flag.Usage = usage

	var helpFlag_p = flag.Bool("h", false, "help")
	var versionFlag_p = flag.Bool("v", false, "version")
	flag.Parse()

	if *helpFlag_p {
		usage()
		os.Exit(0)
	} else if *versionFlag_p {
		fmt.Printf("%v\n", jobber.LongVersionStr())
		os.Exit(0)
	} else {
		if len(flag.Args()) == 0 {
			fmt.Fprintf(os.Stderr, "Please specify a command.\n\n")
			flag.Usage()
			os.Exit(1)
		}

		// make sure the daemon is running
		if _, err := os.Stat(jobber.DaemonSocketAddr); os.IsNotExist(err) {
			if flag.Arg(0) == StopCmdStr {
				os.Exit(0)
			} else {
				fmt.Fprintf(os.Stderr, "jobberd isn't running.\n")
				os.Exit(1)
			}
		}

		// connect to daemon
		addr, err := net.ResolveUnixAddr("unix", jobber.DaemonSocketAddr)
		if err != nil {
			fmt.Fprintf(os.Stderr, "Couldn't resolve Unix addr: %v\n", err)
			os.Exit(1)
		}
		conn, err := net.DialUnix("unix", nil, addr)
		if err != nil {
			fmt.Fprintf(os.Stderr, "Couldn't connect to daemon: %v\n", err)
			os.Exit(1)
		}
		defer conn.Close()
		rpcClient := rpc.NewClient(conn)
		if err != nil {
			fmt.Fprintf(os.Stderr, "Couldn't make RPC client: %v\n", err)
			os.Exit(1)
		}

		// drop privileges
		err = syscall.Setreuid(syscall.Getuid(), syscall.Getuid())
		if err != nil {
			fmt.Fprintf(os.Stderr, "Couldn't drop privileges: %v\n", err)
			os.Exit(1)
		}

		// get current username
		user, err := user.Current()
		if err != nil {
			fmt.Fprintf(os.Stderr, "Couldn't get current user: %v\n", err)
			os.Exit(1)
		}

		// do command
		switch flag.Arg(0) {
		case ListCmdStr:
			doListCmd(flag.Args()[1:], rpcClient, user)

		case LogCmdStr:
			doLogCmd(flag.Args()[1:], rpcClient, user)

		case ReloadCmdStr:
			doReloadCmd(flag.Args()[1:], rpcClient, user)

		case StopCmdStr:
			var result string
			arg := jobber.IpcArg{User: user.Username, ForAllUsers: false}
			err = rpcClient.Call("RealIpcServer.Stop", arg, &result)
			if err != nil {
				fmt.Fprintf(os.Stderr, "%v\n", err)
				os.Exit(1)
			}

		case TestCmdStr:
			doTestCmd(flag.Args()[1:], rpcClient, user)

		case CatCmdStr:
			doCatCmd(flag.Args()[1:], rpcClient, user)

		default:
			fmt.Fprintf(os.Stderr, "Invalid command: \"%v\".\n", flag.Arg(0))
			flag.Usage()
			os.Exit(1)
		}
	}
}
Beispiel #7
0
func dropRoot() {
	if hasRoot && syscall.Geteuid() != realUid {
		e := syscall.Setreuid(-1, realUid)
		fatalErr(e)
	}
}
Beispiel #8
0
func becomeRoot() {
	if hasRoot && syscall.Geteuid() != 0 {
		e := syscall.Setreuid(-1, 0)
		fatalErr(e)
	}
}
Beispiel #9
0
func setAllUid(uid int) error {
	return syscall.Setreuid(uid, uid)
}
Beispiel #10
0
// Change effective run permissions back to read uid
func AdminOff() error {
	if err := syscall.Setreuid(origUID, origUID); err != nil {
		return err
	}
	return nil
}