Ejemplo n.º 1
0
func isSupportedSyzkall(kallsyms []byte, c *sys.Call) bool {
	switch c.CallName {
	case "syz_open_dev":
		ptr, ok := c.Args[0].(sys.PtrType)
		if !ok {
			panic("first open arg is not a pointer")
		}
		fname, ok := ptr.Type.(sys.StrConstType)
		if !ok {
			panic("first open arg is not a pointer to string const")
		}
		if syscall.Getuid() != 0 {
			return false
		}
		dev := strings.Replace(fname.Val, "#", "0", 1)
		_, err := os.Stat(dev)
		return err == nil
	case "syz_open_pts":
		return true
	case "syz_fuse_mount":
		_, err := os.Stat("/dev/fuse")
		return err == nil
	case "syz_fuseblk_mount":
		_, err := os.Stat("/dev/fuse")
		return err == nil && syscall.Getuid() == 0
	default:
		panic("unknown syzkall: " + c.Name)
	}
}
Ejemplo n.º 2
0
// SetupUser changes the groups, gid, and uid for the user inside the container
func SetupUser(u string) error {
	// Set up defaults.
	defaultExecUser := user.ExecUser{
		Uid:  syscall.Getuid(),
		Gid:  syscall.Getgid(),
		Home: "/",
	}
	passwdPath, err := user.GetPasswdPath()
	if err != nil {
		return err
	}
	groupPath, err := user.GetGroupPath()
	if err != nil {
		return err
	}

	execUser, err := user.GetExecUserPath(u, &defaultExecUser, passwdPath, groupPath)
	if err != nil {
		return fmt.Errorf("get supplementary groups %s", err)
	}

	// if not root - check uid/gid by hand if seccomp is not working
	if syscall.Geteuid() > 0 && (execUser.Uid <= MIN_UID || execUser.Gid <= MIN_GID) {
		return fmt.Errorf("Invalid UID or GID")
	}

	// set supplementary groups
	if err := syscall.Setgroups(execUser.Sgids); err != nil {
		return fmt.Errorf("setgroups %s", err)
	}

	// set gid
	if err := system.Setgid(execUser.Gid); err != nil {
		return fmt.Errorf("setgid %s", err)
	}

	// check if setgid is successfull
	if syscall.Getgid() != execUser.Gid {
		return fmt.Errorf("setgid failed")
	}

	// set uid
	if err := system.Setuid(execUser.Uid); err != nil {
		return fmt.Errorf("setuid %s", err)
	}

	// check if setuid is successful
	if syscall.Getuid() != execUser.Uid {
		return fmt.Errorf("setuid failed")
	}

	// if we didn't get HOME already, set it based on the user's HOME
	if envHome := os.Getenv("HOME"); envHome == "" {
		if err := os.Setenv("HOME", execUser.Home); err != nil {
			return fmt.Errorf("set HOME %s", err)
		}
	}
	return nil
}
Ejemplo n.º 3
0
func (d *Driver) Create() error {
	b2dutils := mcnutils.NewB2dUtils(d.StorePath)
	if err := b2dutils.CopyIsoToMachineDir(d.Boot2DockerURL, d.MachineName); err != nil {
		return err
	}

	log.Infof("Creating VM...")
	if err := os.MkdirAll(d.ResolveStorePath("."), 0755); err != nil {
		return err
	}

	log.Infof("Extracting vmlinuz64 and initrd.img from %s...", isoFilename)
	if err := d.extractKernelImages(); err != nil {
		return err
	}

	log.Infof("Generating %dMB disk image...", d.DiskSize)
	if err := d.generateDiskImage(d.DiskSize); err != nil {
		return err
	}

	// Fix file permission root to current user for vmnet.framework
	log.Infof("Fix file permission...")
	os.Chown(d.ResolveStorePath("."), syscall.Getuid(), syscall.Getegid())
	files, _ := ioutil.ReadDir(d.ResolveStorePath("."))
	for _, f := range files {
		log.Debugf(d.ResolveStorePath(f.Name()))
		os.Chown(d.ResolveStorePath(f.Name()), syscall.Getuid(), syscall.Getegid())
	}

	log.Infof("Generate UUID...")
	d.UUID = uuidgen()
	log.Debugf("Generated UUID: %s", d.UUID)

	log.Infof("Convert UUID to MAC address...")
	rawUUID, err := d.getMACAdress()
	if err != nil {
		return err
	}
	d.MacAddr = trimMacAddress(rawUUID)
	log.Debugf("Converted MAC address: %s", d.MacAddr)

	log.Infof("Starting %s...", d.MachineName)
	if err := d.Start(); err != nil {
		return err
	}

	// Setup NFS sharing
	if d.NFSShare {
		log.Infof("NFS share folder must be root. Please insert root password.")
		err = d.setupNFSShare()
		if err != nil {
			log.Errorf("NFS setup failed: %s", err.Error())
		}
	}

	return nil
}
Ejemplo n.º 4
0
func TestCurrent(t *testing.T) {
	uid := strconv.Itoa(syscall.Getuid())
	users := []string{
		fmt.Sprintf("current:*:%s:%s:Current User:/home/current:/bin/bash", uid, uid),
	}
	db, err := newUserDatabase(users)
	if err != nil {
		t.Error(err)
	}
	defer os.Remove(db)
	userDatabase = db
	want := &User{
		Username: "******",
		Uid:      uid,
		Gid:      uid,
		Name:     "Current User",
		HomeDir:  "/home/current",
	}
	got, err := Current()
	if err != nil {
		t.Error(err)
	}
	if !reflect.DeepEqual(want, got) {
		t.Errorf("want %v, got %v", want, got)
	}
}
Ejemplo n.º 5
0
func setupUser(container *libcontainer.Container) error {
	switch container.User {
	case "root", "":
		if err := system.Setgroups(nil); err != nil {
			return err
		}
		if err := system.Setresgid(0, 0, 0); err != nil {
			return err
		}
		if err := system.Setresuid(0, 0, 0); err != nil {
			return err
		}
	default:
		uid, gid, suppGids, err := user.GetUserGroupSupplementary(container.User, syscall.Getuid(), syscall.Getgid())
		if err != nil {
			return err
		}
		if err := system.Setgroups(suppGids); err != nil {
			return err
		}
		if err := system.Setgid(gid); err != nil {
			return err
		}
		if err := system.Setuid(uid); err != nil {
			return err
		}
	}
	return nil
}
Ejemplo n.º 6
0
Archivo: vicadm.go Proyecto: vmware/vic 
func init() {
	defer trace.End(trace.Begin(""))
	trace.Logger.Level = log.DebugLevel
	_ = pprof.StartPprof("vicadmin", pprof.VicadminPort)

	// We don't want to run this as root.
	ud := syscall.Getuid()
	gd := syscall.Getgid()
	log.Info(fmt.Sprintf("Current UID/GID = %d/%d", ud, gd))
	// TODO: Enable this after we figure out to NOT break the test suite with it.
	// if ud == 0 {
	// log.Errorf("Error: vicadmin must not run as root.")
	// time.Sleep(60 * time.Second)
	// os.Exit(1)
	// }

	flag.StringVar(&rootConfig.addr, "l", "client.localhost:2378", "Listen address")

	// TODO: This should all be pulled from the config
	flag.StringVar(&rootConfig.DatacenterPath, "dc", "", "Path of the datacenter")
	flag.StringVar(&rootConfig.ClusterPath, "cluster", "", "Path of the cluster")
	flag.StringVar(&rootConfig.PoolPath, "pool", "", "Path of the resource pool")

	// load the vch config
	src, err := extraconfig.GuestInfoSource()
	if err != nil {
		log.Errorf("Unable to load configuration from guestinfo")
		return
	}

	extraconfig.Decode(src, &vchConfig)

	// FIXME: pull the rest from flags
	flag.Parse()
}
Ejemplo n.º 7
0
func TestRuleAddAndLoad(t *testing.T) {
	// Test #1: Add a trivial filter
	filter1, err := NewFilter(ActAllow)
	if err != nil {
		t.Errorf("Error creating filter: %s", err)
	}
	defer filter1.Release()

	call, err := GetSyscallFromName("getpid")
	if err != nil {
		t.Errorf("Error getting syscall number of getpid: %s", err)
	}

	call2, err := GetSyscallFromName("setreuid")
	if err != nil {
		t.Errorf("Error getting syscall number of setreuid: %s", err)
	}

	uid := syscall.Getuid()
	euid := syscall.Geteuid()

	err = filter1.AddRule(call, ActErrno.SetReturnCode(0x1))
	if err != nil {
		t.Errorf("Error adding rule to restrict syscall: %s", err)
	}

	cond, err := MakeCondition(1, CompareEqual, uint64(euid))
	if err != nil {
		t.Errorf("Error making rule to restrict syscall: %s", err)
	}

	cond2, err := MakeCondition(0, CompareEqual, uint64(uid))
	if err != nil {
		t.Errorf("Error making rule to restrict syscall: %s", err)
	}

	conditions := []ScmpCondition{cond, cond2}

	err = filter1.AddRuleConditional(call2, ActErrno.SetReturnCode(0x2), conditions)
	if err != nil {
		t.Errorf("Error adding conditional rule: %s", err)
	}

	err = filter1.Load()
	if err != nil {
		t.Errorf("Error loading filter: %s", err)
	}

	// Try making a simple syscall, it should error
	pid := syscall.Getpid()
	if pid != -1 {
		t.Errorf("Syscall should have returned error code!")
	}

	// Try making a Geteuid syscall that should normally succeed
	err = syscall.Setreuid(uid, euid)
	if err != syscall.Errno(2) {
		t.Errorf("Syscall should have returned error code!")
	}
}
Ejemplo n.º 8
0
func NewTarWriter(name string, w io.Writer) *TarWriter {
	return &TarWriter{
		Writer: tar.NewWriter(w),
		uid:    syscall.Getuid(),
		name:   name,
	}
}
Ejemplo n.º 9
0
// SetupUser changes the groups, gid, and uid for the user inside the container
func SetupUser(u string) error {
	uid, gid, suppGids, home, err := user.GetUserGroupSupplementaryHome(u, syscall.Getuid(), syscall.Getgid(), "/")
	if err != nil {
		return fmt.Errorf("get supplementary groups %s", err)
	}

	if err := syscall.Setgroups(suppGids); err != nil {
		return fmt.Errorf("setgroups %s", err)
	}

	if err := syscall.Setgid(gid); err != nil {
		return fmt.Errorf("setgid %s", err)
	}

	if err := syscall.Setuid(uid); err != nil {
		return fmt.Errorf("setuid %s", err)
	}

	// if we didn't get HOME already, set it based on the user's HOME
	if envHome := os.Getenv("HOME"); envHome == "" {
		if err := os.Setenv("HOME", home); err != nil {
			return fmt.Errorf("set HOME %s", err)
		}
	}

	return nil
}
Ejemplo n.º 10
0
func mkKindiDir(path string) (string, error) {
	var name string

	if len(path) == 0 || path == "~/.kindi" {
		uid := syscall.Getuid()
		uid_str := strconv.Itoa(uid)
		u, err := user.LookupId(uid_str)
		if err != nil {
			return "", err
		}
		if e, g := uid_str, u.Uid; e != g {
			return "", fmt.Errorf("expected Uid of %d; got %d", e, g)
		}
		fi, err := os.Stat(u.HomeDir)
		if err != nil || !fi.IsDir() {
			return "", fmt.Errorf("expected a valid HomeDir; stat(%q): err=%v, IsDirectory=%v", err, fi.IsDir())
		}

		name = filepath.Join(u.HomeDir, ".kindi")
	} else {
		name = path
	}

	err := os.Mkdir(name, 0700)
	if err != nil {
		if pe, ok := err.(*os.PathError); ok && pe.Err == syscall.EEXIST {
			return name, nil
		}
		return "", err
	}
	return name, nil
}
Ejemplo n.º 11
0
func TestLookup(t *testing.T) {
	if skip(t) {
		return
	}

	// Test LookupId on the current user
	uid := syscall.Getuid()
	u, err := LookupId(uid)
	if err != nil {
		t.Fatalf("LookupId: %v", err)
	}
	if e, g := uid, u.Uid; e != g {
		t.Errorf("expected Uid of %d; got %d", e, g)
	}
	fi, err := os.Stat(u.HomeDir)
	if err != nil || !fi.IsDirectory() {
		t.Errorf("expected a valid HomeDir; stat(%q): err=%v, IsDirectory=%v", u.HomeDir, err, fi.IsDirectory())
	}
	if u.Username == "" {
		t.Fatalf("didn't get a username")
	}

	// Test Lookup by username, using the username from LookupId
	un, err := Lookup(u.Username)
	if err != nil {
		t.Fatalf("Lookup: %v", err)
	}
	if !reflect.DeepEqual(u, un) {
		t.Errorf("Lookup by userid vs. name didn't match\n"+
			"LookupId(%d): %#v\n"+
			"Lookup(%q): %#v\n", uid, u, u.Username, un)
	}
}
Ejemplo n.º 12
0
func (d *Driver) CopyIsoToMachineDir(isoURL, machineName string) error {
	b2d := b2d.NewB2dUtils(d.StorePath)
	mcnutils := mcnutils.NewB2dUtils(d.StorePath)

	if err := d.UpdateISOCache(isoURL); err != nil {
		return err
	}

	isoPath := filepath.Join(b2d.ImgCachePath, isoFilename)
	if isoStat, err := os.Stat(isoPath); err == nil {
		if int(isoStat.Sys().(*syscall.Stat_t).Uid) == 0 {
			log.Debugf("Fix %s file permission...", isoStat.Name())
			os.Chown(isoPath, syscall.Getuid(), syscall.Getegid())
		}
	}

	// TODO: This is a bit off-color.
	machineDir := filepath.Join(d.StorePath, "machines", machineName)
	machineIsoPath := filepath.Join(machineDir, isoFilename)

	// By default just copy the existing "cached" iso to the machine's directory...
	defaultISO := filepath.Join(b2d.ImgCachePath, defaultISOFilename)
	if isoURL == "" {
		log.Infof("Copying %s to %s...", defaultISO, machineIsoPath)
		return CopyFile(defaultISO, machineIsoPath)
	}

	// if ISO is specified, check if it matches a github releases url or fallback to a direct download
	downloadURL, err := b2d.GetReleaseURL(isoURL)
	if err != nil {
		return err
	}

	return mcnutils.DownloadISO(machineDir, b2d.Filename(), downloadURL)
}
Ejemplo n.º 13
0
func TestStatFile(t *testing.T) {
	tmp := tempdir.New(t)
	defer tmp.Cleanup()
	app := bazfstestutil.NewApp(t, tmp.Subdir("data"))
	defer app.Close()
	bazfstestutil.CreateVolume(t, app, "default")

	mnt := bazfstestutil.Mounted(t, app, "default")
	defer mnt.Close()

	p := path.Join(mnt.Dir, "hello")
	f, err := os.Create(p)
	if err != nil {
		t.Fatalf("cannot create hello: %v", err)
	}
	defer f.Close()
	GREETING := "hello, world\n"
	n, err := f.Write([]byte(GREETING))
	if err != nil {
		t.Fatalf("cannot write to hello: %v", err)
	}
	if n != len(GREETING) {
		t.Fatalf("bad length write to hello: %d != %d", n, len(GREETING))
	}
	err = f.Close()
	if err != nil {
		t.Fatalf("closing hello failed: %v", err)
	}

	fi, err := os.Stat(p)
	if err != nil {
		t.Fatalf("cannot stat hello: %v", err)
	}
	mode := fi.Mode()
	if (mode & os.ModeType) != 0 {
		t.Errorf("hello is not a file: %#v", fi)
	}
	if mode.Perm() != 0644 {
		t.Errorf("file has weird access mode: %v", mode.Perm())
	}
	switch stat := fi.Sys().(type) {
	case *syscall.Stat_t:
		if stat.Nlink != 1 {
			t.Errorf("file has wrong link count: %v", stat.Nlink)
		}
		if stat.Uid != uint32(syscall.Getuid()) {
			t.Errorf("file has wrong uid: %d", stat.Uid)
		}
		if stat.Gid != uint32(syscall.Getgid()) {
			t.Errorf("file has wrong gid: %d", stat.Gid)
		}
		if stat.Gid != uint32(syscall.Getgid()) {
			t.Errorf("file has wrong gid: %d", stat.Gid)
		}
	}
	if fi.Size() != int64(len(GREETING)) {
		t.Errorf("file has wrong size: %d != %d", fi.Size(), len(GREETING))
	}
}
Ejemplo n.º 14
0
func NewTarWriter(name string, w io.Writer, progress ProgressBar) *TarWriter {
	return &TarWriter{
		Writer:   tar.NewWriter(w),
		uid:      syscall.Getuid(),
		name:     name,
		progress: progress,
	}
}
Ejemplo n.º 15
0
// Checks if it is possible to activate the mitigation.
func CanActivate() bool {
	if runtime.GOOS == "windows" {
		return false
	}

	uid := syscall.Getuid()
	return uid == 0
}
Ejemplo n.º 16
0
// setupUser changes the groups, gid, and uid for the user inside the container
func setupUser(config *initConfig) error {
	// Set up defaults.
	defaultExecUser := user.ExecUser{
		Uid:  syscall.Getuid(),
		Gid:  syscall.Getgid(),
		Home: "/",
	}
	passwdPath, err := user.GetPasswdPath()
	if err != nil {
		return err
	}
	groupPath, err := user.GetGroupPath()
	if err != nil {
		return err
	}
	execUser, err := user.GetExecUserPath(config.User, &defaultExecUser, passwdPath, groupPath)
	if err != nil {
		return err
	}

	var addGroups []int
	if len(config.Config.AdditionalGroups) > 0 {
		addGroups, err = user.GetAdditionalGroupsPath(config.Config.AdditionalGroups, groupPath)
		if err != nil {
			return err
		}
	}
	// change the permissions on the STDIO of the current process so that when the user
	// is changed for the container, it's STDIO of the process matches the user.
	for _, fd := range []uintptr{
		os.Stdin.Fd(),
		os.Stderr.Fd(),
		os.Stdout.Fd(),
	} {
		if err := syscall.Fchown(int(fd), execUser.Uid, execUser.Gid); err != nil {
			return err
		}
	}
	suppGroups := append(execUser.Sgids, addGroups...)
	if err := syscall.Setgroups(suppGroups); err != nil {
		return err
	}

	if err := system.Setgid(execUser.Gid); err != nil {
		return err
	}
	if err := system.Setuid(execUser.Uid); err != nil {
		return err
	}
	// if we didn't get HOME already, set it based on the user's HOME
	if envHome := os.Getenv("HOME"); envHome == "" {
		if err := os.Setenv("HOME", execUser.Home); err != nil {
			return err
		}
	}
	return nil
}
Ejemplo n.º 17
0
func DefaultBaseDirGet() string {
	uid := syscall.Getuid()
	u, err := user.LookupId(strconv.Itoa(uid))
	if err != nil {
		log.Printf("Error looking up user, %v\n", err)
		os.Exit(-2)
	}
	return u.HomeDir + _DEFAULT_USER_BASEDIR
}
Ejemplo n.º 18
0
func isSupportedSyzkall(c *sys.Call) bool {
	switch c.CallName {
	case "syz_test":
		return false
	case "syz_open_dev":
		ptr, ok := c.Args[0].(sys.PtrType)
		if !ok {
			return true
		}
		fname, ok := ptr.Type.(sys.StrConstType)
		if !ok {
			panic("first open arg is not a pointer to string const")
		}
		if syscall.Getuid() != 0 {
			return false
		}
		var check func(dev string) bool
		check = func(dev string) bool {
			if !strings.Contains(dev, "#") {
				_, err := os.Stat(dev)
				return err == nil
			}
			for i := 0; i < 10; i++ {
				if check(strings.Replace(dev, "#", strconv.Itoa(i), 1)) {
					return true
				}
			}
			return false
		}
		return check(fname.Val[:len(fname.Val)-1])
	case "syz_open_pts":
		return true
	case "syz_fuse_mount":
		_, err := os.Stat("/dev/fuse")
		return err == nil
	case "syz_fuseblk_mount":
		_, err := os.Stat("/dev/fuse")
		return err == nil && syscall.Getuid() == 0
	default:
		panic("unknown syzkall: " + c.Name)
	}
}
Ejemplo n.º 19
0
func TestSimple(t *testing.T) {
	tmp := tempdir.New(t)
	defer tmp.Cleanup()
	app := bazfstestutil.NewApp(t, tmp.Subdir("data"))
	defer app.Close()
	bazfstestutil.CreateVolume(t, app, "default")

	mnt := bazfstestutil.Mounted(t, app, "default")
	defer mnt.Close()

	fi, err := os.Stat(mnt.Dir)
	if err != nil {
		t.Fatalf("root getattr failed with %v", err)
	}
	mode := fi.Mode()
	if (mode & os.ModeType) != os.ModeDir {
		t.Errorf("root is not a directory: %#v", fi)
	}
	if mode.Perm() != 0755 {
		t.Errorf("root has weird access mode: %v", mode.Perm())
	}
	switch stat := fi.Sys().(type) {
	case *syscall.Stat_t:
		if stat.Nlink != 1 {
			t.Errorf("root has wrong link count: %v", stat.Nlink)
		}
		if stat.Uid != uint32(syscall.Getuid()) {
			t.Errorf("root has wrong uid: %d", stat.Uid)
		}
		if stat.Gid != uint32(syscall.Getgid()) {
			t.Errorf("root has wrong gid: %d", stat.Gid)
		}
		if stat.Gid != uint32(syscall.Getgid()) {
			t.Errorf("root has wrong gid: %d", stat.Gid)
		}
	}

	dirf, err := os.Open(mnt.Dir)
	if err != nil {
		t.Fatalf("cannot open root dir: %v", err)
	}
	defer dirf.Close()
	names, err := dirf.Readdirnames(10)
	if err != nil && err != io.EOF {
		t.Fatalf("cannot list root dir: %v", err)
	}
	if len(names) > 0 {
		t.Errorf("unexpected content in root dir: %v", names)
	}
	err = dirf.Close()
	if err != nil {
		t.Fatalf("closing root dir failed: %v", err)
	}
}
Ejemplo n.º 20
0
func setupHome(rw http.ResponseWriter, req *http.Request) {
	_, port, _ := net.SplitHostPort(*webserver.Listen)
	ourAddr := "127.0.0.1:" + port
	uid, err := netutil.AddrPairUserid(req.RemoteAddr, ourAddr)

	fmt.Fprintf(rw, "Hello %q\n", req.RemoteAddr)
	fmt.Fprintf(rw, "<p>uid = %d\n", syscall.Getuid())
	fmt.Fprintf(rw, "<p>euid = %d\n", syscall.Geteuid())

	fmt.Fprintf(rw, "<p>http_local_uid(%q => %q) = %d (%v)\n", req.RemoteAddr, ourAddr, uid, err)
}
Ejemplo n.º 21
0
// ShouldDropPrivs returns true if the application runs with sufficient
// privileges so that it should drop them
func ShouldDropPrivs() bool {
	if groups, err := syscall.Getgroups(); err == nil {
		for _, gid := range groups {
			if gid == 0 {
				return true
			}
		}
	}

	return syscall.Getuid() == 0 || syscall.Getgid() == 0

}
Ejemplo n.º 22
0
// setupUser changes the groups, gid, and uid for the user inside the container
func setupUser(config *initConfig) error {
	// Set up defaults.
	defaultExecUser := user.ExecUser{
		Uid:  syscall.Getuid(),
		Gid:  syscall.Getgid(),
		Home: "/",
	}
	passwdPath, err := user.GetPasswdPath()
	if err != nil {
		return err
	}
	groupPath, err := user.GetGroupPath()
	if err != nil {
		return err
	}
	execUser, err := user.GetExecUserPath(config.User, &defaultExecUser, passwdPath, groupPath)
	if err != nil {
		return err
	}

	/*	var addGroups []int
		if len(config.Config.AdditionalGroups) > 0 {
			addGroups, err = user.GetAdditionalGroupsPath(config.Config.AdditionalGroups, groupPath)
			if err != nil {
				return err
			}
		}*/
	// before we change to the container's user make sure that the processes STDIO
	// is correctly owned by the user that we are switching to.
	if err := fixStdioPermissions(execUser); err != nil {
		return err
	}
	/*
		suppGroups := append(execUser.Sgids, addGroups...)
			if err := syscall.Setgroups(suppGroups); err != nil {
				return err
			}*/

	if err := system.Setgid(execUser.Gid); err != nil {
		return err
	}
	if err := system.Setuid(execUser.Uid); err != nil {
		return err
	}
	// if we didn't get HOME already, set it based on the user's HOME
	if envHome := os.Getenv("HOME"); envHome == "" {
		if err := os.Setenv("HOME", execUser.Home); err != nil {
			return err
		}
	}
	return nil
}
Ejemplo n.º 23
0
func getUsername(userFile string) (string, error) {
	users, err := passwd.ReadUsers(userFile)
	if err != nil {
		return "", err
	}

	name, found := users.NameForID(syscall.Getuid())
	if !found {
		return "", fmt.Errorf("could not find user in %s", userFile)
	}

	return name, nil
}
Ejemplo n.º 24
0
// SetupUser changes the groups, gid, and uid for the user inside the container
func SetupUser(u string) error {
	uid, gid, suppGids, err := user.GetUserGroupSupplementary(u, syscall.Getuid(), syscall.Getgid())
	if err != nil {
		return fmt.Errorf("get supplementary groups %s", err)
	}
	if err := system.Setgroups(suppGids); err != nil {
		return fmt.Errorf("setgroups %s", err)
	}
	if err := system.Setgid(gid); err != nil {
		return fmt.Errorf("setgid %s", err)
	}
	if err := system.Setuid(uid); err != nil {
		return fmt.Errorf("setuid %s", err)
	}
	return nil
}
Ejemplo n.º 25
0
func init() {
	hasRoot = syscall.Geteuid() == 0

	sudoUid, ok := syscall.Getenv("SUDO_UID")
	if ok {
		var err error
		realUid, err = strconv.Atoi(sudoUid)
		if err != nil {
			fatalln("SUDO_UID", err)
		}
	} else {
		realUid = syscall.Getuid()
	}

	dropRoot()
}
Ejemplo n.º 26
0
func setupUser(container *libcontainer.Container) error {
	uid, gid, suppGids, err := user.GetUserGroupSupplementary(container.User, syscall.Getuid(), syscall.Getgid())
	if err != nil {
		return fmt.Errorf("GetUserGroupSupplementary %s", err)
	}
	if err := system.Setgroups(suppGids); err != nil {
		return fmt.Errorf("setgroups %s", err)
	}
	if err := system.Setgid(gid); err != nil {
		return fmt.Errorf("setgid %s", err)
	}
	if err := system.Setuid(uid); err != nil {
		return fmt.Errorf("setuid %s", err)
	}
	return nil
}
Ejemplo n.º 27
0
// setupUser changes the groups, gid, and uid for the user inside the container
func setupUser(config *initConfig) error {
	// Set up defaults.
	defaultExecUser := user.ExecUser{
		Uid:  syscall.Getuid(),
		Gid:  syscall.Getgid(),
		Home: "/",
	}
	passwdPath, err := user.GetPasswdPath()
	if err != nil {
		return err
	}
	groupPath, err := user.GetGroupPath()
	if err != nil {
		return err
	}
	execUser, err := user.GetExecUserPath(config.User, &defaultExecUser, passwdPath, groupPath)
	if err != nil {
		return err
	}

	var addGroups []int
	if len(config.Config.AdditionalGroups) > 0 {
		addGroups, err = user.GetAdditionalGroupsPath(config.Config.AdditionalGroups, groupPath)
		if err != nil {
			return err
		}
	}

	suppGroups := append(execUser.Sgids, addGroups...)
	if err := syscall.Setgroups(suppGroups); err != nil {
		return err
	}

	if err := system.Setgid(execUser.Gid); err != nil {
		return err
	}
	if err := system.Setuid(execUser.Uid); err != nil {
		return err
	}
	// if we didn't get HOME already, set it based on the user's HOME
	if envHome := os.Getenv("HOME"); envHome == "" {
		if err := os.Setenv("HOME", execUser.Home); err != nil {
			return err
		}
	}
	return nil
}
Ejemplo n.º 28
0
// SetupUser changes the groups, gid, and uid for the user inside the container
func SetupUser(container *libcontainer.Config) error {
	// Set up defaults.
	defaultExecUser := user.ExecUser{
		Uid:  syscall.Getuid(),
		Gid:  syscall.Getgid(),
		Home: "/",
	}

	passwdPath, err := user.GetPasswdPath()
	if err != nil {
		return err
	}

	groupPath, err := user.GetGroupPath()
	if err != nil {
		return err
	}

	execUser, err := user.GetExecUserPath(container.User, &defaultExecUser, passwdPath, groupPath)
	if err != nil {
		return fmt.Errorf("get supplementary groups %s", err)
	}

	suppGroups := append(execUser.Sgids, container.AdditionalGroups...)

	if err := syscall.Setgroups(suppGroups); err != nil {
		return fmt.Errorf("setgroups %s", err)
	}

	if err := system.Setgid(execUser.Gid); err != nil {
		return fmt.Errorf("setgid %s", err)
	}

	if err := system.Setuid(execUser.Uid); err != nil {
		return fmt.Errorf("setuid %s", err)
	}

	// if we didn't get HOME already, set it based on the user's HOME
	if envHome := os.Getenv("HOME"); envHome == "" {
		if err := os.Setenv("HOME", execUser.Home); err != nil {
			return fmt.Errorf("set HOME %s", err)
		}
	}

	return nil
}
Ejemplo n.º 29
0
func isSupportedSyzkall(kallsyms []byte, c *sys.Call) bool {
	switch c.CallName {
	case "syz_openpts":
		return true
	case "syz_dri_open":
		_, err := os.Stat("/dev/dri/card0")
		return err == nil
	case "syz_fuse_mount":
		_, err := os.Stat("/dev/fuse")
		return err == nil
	case "syz_fuseblk_mount":
		_, err := os.Stat("/dev/fuse")
		return err == nil && syscall.Getuid() == 0
	default:
		panic("unknown syzkall")
	}
}
Ejemplo n.º 30
0
func AddStringToTar(tw *tar.Writer, name, file string) error {
	hdr := &tar.Header{
		Name: name,
		Size: int64(len(file)),

		Mode: 0666,

		Uid: syscall.Getuid(),
		Gid: syscall.Getgid(),
	}
	if err := tw.WriteHeader(hdr); err != nil {
		return err
	}
	if _, err := tw.Write([]byte(file)); err != nil {
		return err
	}
	return nil
}