Esempio n. 1
0
func TestStatFile(t *testing.T) {
	tmp := tempdir.New(t)
	defer tmp.Cleanup()
	app := bazfstestutil.NewApp(t, tmp.Subdir("data"))
	defer app.Close()
	bazfstestutil.CreateVolume(t, app, "default")

	mnt := bazfstestutil.Mounted(t, app, "default")
	defer mnt.Close()

	p := path.Join(mnt.Dir, "hello")
	f, err := os.Create(p)
	if err != nil {
		t.Fatalf("cannot create hello: %v", err)
	}
	defer f.Close()
	GREETING := "hello, world\n"
	n, err := f.Write([]byte(GREETING))
	if err != nil {
		t.Fatalf("cannot write to hello: %v", err)
	}
	if n != len(GREETING) {
		t.Fatalf("bad length write to hello: %d != %d", n, len(GREETING))
	}
	err = f.Close()
	if err != nil {
		t.Fatalf("closing hello failed: %v", err)
	}

	fi, err := os.Stat(p)
	if err != nil {
		t.Fatalf("cannot stat hello: %v", err)
	}
	mode := fi.Mode()
	if (mode & os.ModeType) != 0 {
		t.Errorf("hello is not a file: %#v", fi)
	}
	if mode.Perm() != 0644 {
		t.Errorf("file has weird access mode: %v", mode.Perm())
	}
	switch stat := fi.Sys().(type) {
	case *syscall.Stat_t:
		if stat.Nlink != 1 {
			t.Errorf("file has wrong link count: %v", stat.Nlink)
		}
		if stat.Uid != uint32(syscall.Getuid()) {
			t.Errorf("file has wrong uid: %d", stat.Uid)
		}
		if stat.Gid != uint32(syscall.Getgid()) {
			t.Errorf("file has wrong gid: %d", stat.Gid)
		}
		if stat.Gid != uint32(syscall.Getgid()) {
			t.Errorf("file has wrong gid: %d", stat.Gid)
		}
	}
	if fi.Size() != int64(len(GREETING)) {
		t.Errorf("file has wrong size: %d != %d", fi.Size(), len(GREETING))
	}
}
Esempio n. 2
0
// SetupUser changes the groups, gid, and uid for the user inside the container
func SetupUser(u string) error {
	// Set up defaults.
	defaultExecUser := user.ExecUser{
		Uid:  syscall.Getuid(),
		Gid:  syscall.Getgid(),
		Home: "/",
	}
	passwdPath, err := user.GetPasswdPath()
	if err != nil {
		return err
	}
	groupPath, err := user.GetGroupPath()
	if err != nil {
		return err
	}

	execUser, err := user.GetExecUserPath(u, &defaultExecUser, passwdPath, groupPath)
	if err != nil {
		return fmt.Errorf("get supplementary groups %s", err)
	}

	// if not root - check uid/gid by hand if seccomp is not working
	if syscall.Geteuid() > 0 && (execUser.Uid <= MIN_UID || execUser.Gid <= MIN_GID) {
		return fmt.Errorf("Invalid UID or GID")
	}

	// set supplementary groups
	if err := syscall.Setgroups(execUser.Sgids); err != nil {
		return fmt.Errorf("setgroups %s", err)
	}

	// set gid
	if err := system.Setgid(execUser.Gid); err != nil {
		return fmt.Errorf("setgid %s", err)
	}

	// check if setgid is successfull
	if syscall.Getgid() != execUser.Gid {
		return fmt.Errorf("setgid failed")
	}

	// set uid
	if err := system.Setuid(execUser.Uid); err != nil {
		return fmt.Errorf("setuid %s", err)
	}

	// check if setuid is successful
	if syscall.Getuid() != execUser.Uid {
		return fmt.Errorf("setuid failed")
	}

	// if we didn't get HOME already, set it based on the user's HOME
	if envHome := os.Getenv("HOME"); envHome == "" {
		if err := os.Setenv("HOME", execUser.Home); err != nil {
			return fmt.Errorf("set HOME %s", err)
		}
	}
	return nil
}
Esempio n. 3
0
func TestSimple(t *testing.T) {
	tmp := tempdir.New(t)
	defer tmp.Cleanup()
	app := bazfstestutil.NewApp(t, tmp.Subdir("data"))
	defer app.Close()
	bazfstestutil.CreateVolume(t, app, "default")

	mnt := bazfstestutil.Mounted(t, app, "default")
	defer mnt.Close()

	fi, err := os.Stat(mnt.Dir)
	if err != nil {
		t.Fatalf("root getattr failed with %v", err)
	}
	mode := fi.Mode()
	if (mode & os.ModeType) != os.ModeDir {
		t.Errorf("root is not a directory: %#v", fi)
	}
	if mode.Perm() != 0755 {
		t.Errorf("root has weird access mode: %v", mode.Perm())
	}
	switch stat := fi.Sys().(type) {
	case *syscall.Stat_t:
		if stat.Nlink != 1 {
			t.Errorf("root has wrong link count: %v", stat.Nlink)
		}
		if stat.Uid != uint32(syscall.Getuid()) {
			t.Errorf("root has wrong uid: %d", stat.Uid)
		}
		if stat.Gid != uint32(syscall.Getgid()) {
			t.Errorf("root has wrong gid: %d", stat.Gid)
		}
		if stat.Gid != uint32(syscall.Getgid()) {
			t.Errorf("root has wrong gid: %d", stat.Gid)
		}
	}

	dirf, err := os.Open(mnt.Dir)
	if err != nil {
		t.Fatalf("cannot open root dir: %v", err)
	}
	defer dirf.Close()
	names, err := dirf.Readdirnames(10)
	if err != nil && err != io.EOF {
		t.Fatalf("cannot list root dir: %v", err)
	}
	if len(names) > 0 {
		t.Errorf("unexpected content in root dir: %v", names)
	}
	err = dirf.Close()
	if err != nil {
		t.Fatalf("closing root dir failed: %v", err)
	}
}
Esempio n. 4
0
File: vicadm.go Progetto: vmware/vic
func init() {
	defer trace.End(trace.Begin(""))
	trace.Logger.Level = log.DebugLevel
	_ = pprof.StartPprof("vicadmin", pprof.VicadminPort)

	// We don't want to run this as root.
	ud := syscall.Getuid()
	gd := syscall.Getgid()
	log.Info(fmt.Sprintf("Current UID/GID = %d/%d", ud, gd))
	// TODO: Enable this after we figure out to NOT break the test suite with it.
	// if ud == 0 {
	// log.Errorf("Error: vicadmin must not run as root.")
	// time.Sleep(60 * time.Second)
	// os.Exit(1)
	// }

	flag.StringVar(&rootConfig.addr, "l", "client.localhost:2378", "Listen address")

	// TODO: This should all be pulled from the config
	flag.StringVar(&rootConfig.DatacenterPath, "dc", "", "Path of the datacenter")
	flag.StringVar(&rootConfig.ClusterPath, "cluster", "", "Path of the cluster")
	flag.StringVar(&rootConfig.PoolPath, "pool", "", "Path of the resource pool")

	// load the vch config
	src, err := extraconfig.GuestInfoSource()
	if err != nil {
		log.Errorf("Unable to load configuration from guestinfo")
		return
	}

	extraconfig.Decode(src, &vchConfig)

	// FIXME: pull the rest from flags
	flag.Parse()
}
Esempio n. 5
0
// setupUser changes the groups, gid, and uid for the user inside the container
func setupUser(config *initConfig) error {
	// Set up defaults.
	defaultExecUser := user.ExecUser{
		Uid:  syscall.Getuid(),
		Gid:  syscall.Getgid(),
		Home: "/",
	}
	passwdPath, err := user.GetPasswdPath()
	if err != nil {
		return err
	}
	groupPath, err := user.GetGroupPath()
	if err != nil {
		return err
	}
	execUser, err := user.GetExecUserPath(config.User, &defaultExecUser, passwdPath, groupPath)
	if err != nil {
		return err
	}

	var addGroups []int
	if len(config.Config.AdditionalGroups) > 0 {
		addGroups, err = user.GetAdditionalGroupsPath(config.Config.AdditionalGroups, groupPath)
		if err != nil {
			return err
		}
	}
	// change the permissions on the STDIO of the current process so that when the user
	// is changed for the container, it's STDIO of the process matches the user.
	for _, fd := range []uintptr{
		os.Stdin.Fd(),
		os.Stderr.Fd(),
		os.Stdout.Fd(),
	} {
		if err := syscall.Fchown(int(fd), execUser.Uid, execUser.Gid); err != nil {
			return err
		}
	}
	suppGroups := append(execUser.Sgids, addGroups...)
	if err := syscall.Setgroups(suppGroups); err != nil {
		return err
	}

	if err := system.Setgid(execUser.Gid); err != nil {
		return err
	}
	if err := system.Setuid(execUser.Uid); err != nil {
		return err
	}
	// if we didn't get HOME already, set it based on the user's HOME
	if envHome := os.Getenv("HOME"); envHome == "" {
		if err := os.Setenv("HOME", execUser.Home); err != nil {
			return err
		}
	}
	return nil
}
Esempio n. 6
0
// ShouldDropPrivs returns true if the application runs with sufficient
// privileges so that it should drop them
func ShouldDropPrivs() bool {
	if groups, err := syscall.Getgroups(); err == nil {
		for _, gid := range groups {
			if gid == 0 {
				return true
			}
		}
	}

	return syscall.Getuid() == 0 || syscall.Getgid() == 0

}
Esempio n. 7
0
// setupUser changes the groups, gid, and uid for the user inside the container
func setupUser(config *initConfig) error {
	// Set up defaults.
	defaultExecUser := user.ExecUser{
		Uid:  syscall.Getuid(),
		Gid:  syscall.Getgid(),
		Home: "/",
	}
	passwdPath, err := user.GetPasswdPath()
	if err != nil {
		return err
	}
	groupPath, err := user.GetGroupPath()
	if err != nil {
		return err
	}
	execUser, err := user.GetExecUserPath(config.User, &defaultExecUser, passwdPath, groupPath)
	if err != nil {
		return err
	}

	/*	var addGroups []int
		if len(config.Config.AdditionalGroups) > 0 {
			addGroups, err = user.GetAdditionalGroupsPath(config.Config.AdditionalGroups, groupPath)
			if err != nil {
				return err
			}
		}*/
	// before we change to the container's user make sure that the processes STDIO
	// is correctly owned by the user that we are switching to.
	if err := fixStdioPermissions(execUser); err != nil {
		return err
	}
	/*
		suppGroups := append(execUser.Sgids, addGroups...)
			if err := syscall.Setgroups(suppGroups); err != nil {
				return err
			}*/

	if err := system.Setgid(execUser.Gid); err != nil {
		return err
	}
	if err := system.Setuid(execUser.Uid); err != nil {
		return err
	}
	// if we didn't get HOME already, set it based on the user's HOME
	if envHome := os.Getenv("HOME"); envHome == "" {
		if err := os.Setenv("HOME", execUser.Home); err != nil {
			return err
		}
	}
	return nil
}
Esempio n. 8
0
// SetupUser changes the groups, gid, and uid for the user inside the container
func SetupUser(u string) error {
	uid, gid, suppGids, err := user.GetUserGroupSupplementary(u, syscall.Getuid(), syscall.Getgid())
	if err != nil {
		return fmt.Errorf("get supplementary groups %s", err)
	}
	if err := system.Setgroups(suppGids); err != nil {
		return fmt.Errorf("setgroups %s", err)
	}
	if err := system.Setgid(gid); err != nil {
		return fmt.Errorf("setgid %s", err)
	}
	if err := system.Setuid(uid); err != nil {
		return fmt.Errorf("setuid %s", err)
	}
	return nil
}
Esempio n. 9
0
// setupUser changes the groups, gid, and uid for the user inside the container
func setupUser(config *initConfig) error {
	// Set up defaults.
	defaultExecUser := user.ExecUser{
		Uid:  syscall.Getuid(),
		Gid:  syscall.Getgid(),
		Home: "/",
	}
	passwdPath, err := user.GetPasswdPath()
	if err != nil {
		return err
	}
	groupPath, err := user.GetGroupPath()
	if err != nil {
		return err
	}
	execUser, err := user.GetExecUserPath(config.User, &defaultExecUser, passwdPath, groupPath)
	if err != nil {
		return err
	}

	var addGroups []int
	if len(config.Config.AdditionalGroups) > 0 {
		addGroups, err = user.GetAdditionalGroupsPath(config.Config.AdditionalGroups, groupPath)
		if err != nil {
			return err
		}
	}

	suppGroups := append(execUser.Sgids, addGroups...)
	if err := syscall.Setgroups(suppGroups); err != nil {
		return err
	}

	if err := system.Setgid(execUser.Gid); err != nil {
		return err
	}
	if err := system.Setuid(execUser.Uid); err != nil {
		return err
	}
	// if we didn't get HOME already, set it based on the user's HOME
	if envHome := os.Getenv("HOME"); envHome == "" {
		if err := os.Setenv("HOME", execUser.Home); err != nil {
			return err
		}
	}
	return nil
}
Esempio n. 10
0
// SetupUser changes the groups, gid, and uid for the user inside the container
func SetupUser(container *libcontainer.Config) error {
	// Set up defaults.
	defaultExecUser := user.ExecUser{
		Uid:  syscall.Getuid(),
		Gid:  syscall.Getgid(),
		Home: "/",
	}

	passwdPath, err := user.GetPasswdPath()
	if err != nil {
		return err
	}

	groupPath, err := user.GetGroupPath()
	if err != nil {
		return err
	}

	execUser, err := user.GetExecUserPath(container.User, &defaultExecUser, passwdPath, groupPath)
	if err != nil {
		return fmt.Errorf("get supplementary groups %s", err)
	}

	suppGroups := append(execUser.Sgids, container.AdditionalGroups...)

	if err := syscall.Setgroups(suppGroups); err != nil {
		return fmt.Errorf("setgroups %s", err)
	}

	if err := system.Setgid(execUser.Gid); err != nil {
		return fmt.Errorf("setgid %s", err)
	}

	if err := system.Setuid(execUser.Uid); err != nil {
		return fmt.Errorf("setuid %s", err)
	}

	// if we didn't get HOME already, set it based on the user's HOME
	if envHome := os.Getenv("HOME"); envHome == "" {
		if err := os.Setenv("HOME", execUser.Home); err != nil {
			return fmt.Errorf("set HOME %s", err)
		}
	}

	return nil
}
Esempio n. 11
0
func AddStringToTar(tw *tar.Writer, name, file string) error {
	hdr := &tar.Header{
		Name: name,
		Size: int64(len(file)),

		Mode: 0666,

		Uid: syscall.Getuid(),
		Gid: syscall.Getgid(),
	}
	if err := tw.WriteHeader(hdr); err != nil {
		return err
	}
	if _, err := tw.Write([]byte(file)); err != nil {
		return err
	}
	return nil
}
Esempio n. 12
0
// SetupUser changes the groups, gid, and uid for the user inside the container
func SetupUser(u string) error {
	// Set up defaults.
	defaultExecUser := user.ExecUser{
		Uid:  syscall.Getuid(),
		Gid:  syscall.Getgid(),
		Home: "/",
	}

	passwdFile, err := user.GetPasswdFile()
	if err != nil {
		return err
	}

	groupFile, err := user.GetGroupFile()
	if err != nil {
		return err
	}

	execUser, err := user.GetExecUserFile(u, &defaultExecUser, passwdFile, groupFile)
	if err != nil {
		return fmt.Errorf("get supplementary groups %s", err)
	}

	if err := syscall.Setgroups(execUser.Sgids); err != nil {
		return fmt.Errorf("setgroups %s", err)
	}

	if err := system.Setgid(execUser.Gid); err != nil {
		return fmt.Errorf("setgid %s", err)
	}

	if err := system.Setuid(execUser.Uid); err != nil {
		return fmt.Errorf("setuid %s", err)
	}

	// if we didn't get HOME already, set it based on the user's HOME
	if envHome := os.Getenv("HOME"); envHome == "" {
		if err := os.Setenv("HOME", execUser.Home); err != nil {
			return fmt.Errorf("set HOME %s", err)
		}
	}

	return nil
}
Esempio n. 13
0
func init() {
	defer trace.End(trace.Begin(""))
	trace.Logger.Level = log.DebugLevel
	_ = pprof.StartPprof("vicadmin", pprof.VicadminPort)

	// We don't want to run this as root.
	ud := syscall.Getuid()
	gd := syscall.Getgid()
	log.Info(fmt.Sprintf("Current UID/GID = %d/%d", ud, gd))
	// TODO: Enable this after we figure out to NOT break the test suite with it.
	// if ud == 0 {
	// log.Errorf("Error: vicadmin must not run as root.")
	// time.Sleep(60 * time.Second)
	// os.Exit(1)
	// }

	flag.StringVar(&config.addr, "l", ":2378", "Listen address")
	flag.StringVar(&config.dockerHost, "docker-host", "127.0.0.1:2376", "Docker host")
	flag.StringVar(&config.hostCertFile, "hostcert", "", "Host certificate file")
	flag.StringVar(&config.hostKeyFile, "hostkey", "", "Host private key file")
	flag.StringVar(&config.DatacenterPath, "dc", "", "Name of the Datacenter")
	flag.StringVar(&config.DatastorePath, "ds", "", "Name of the Datastore")
	flag.StringVar(&config.ClusterPath, "cluster", "", "Path of the cluster")
	flag.StringVar(&config.PoolPath, "pool", "", "Path of the resource pool")
	flag.BoolVar(&config.Insecure, "insecure", false, "Allow connection when sdk certificate cannot be verified")
	flag.BoolVar(&config.tls, "tls", true, "Set to false to disable -hostcert and -hostkey and enable plain HTTP")

	// This is only applicable for containers hosted under the VCH VM folder
	// This will not function for vSAN
	flag.StringVar(&config.vmPath, "vm-path", "", "Docker vm path")

	flag.Parse()

	// load the vch config
	src, err := extraconfig.GuestInfoSource()
	if err != nil {
		log.Errorf("Unable to load configuration from guestinfo")
		return
	}

	extraconfig.Decode(src, &vchConfig)
}
Esempio n. 14
0
// Takes care of dropping privileges to the desired user
func changeUser(args *execdriver.InitArgs) error {
	uid, gid, suppGids, err := user.GetUserGroupSupplementary(
		args.User,
		syscall.Getuid(), syscall.Getgid(),
	)
	if err != nil {
		return err
	}

	if err := syscall.Setgroups(suppGids); err != nil {
		return fmt.Errorf("Setgroups failed: %v", err)
	}
	if err := syscall.Setgid(gid); err != nil {
		return fmt.Errorf("Setgid failed: %v", err)
	}
	if err := syscall.Setuid(uid); err != nil {
		return fmt.Errorf("Setuid failed: %v", err)
	}

	return nil
}
Esempio n. 15
0
func (db *DB) readDB(filename string) (r []string, err error) {
	var fb []byte

	func() {
		gid := syscall.Getgid()
		if setgid() != nil {
			defer syscall.Setgid(gid)
		}
		fb, err = ioutil.ReadFile(filename)
	}()

	if err != nil {
		return
	}

	if bytes.Compare(fb[0:8], []byte("\x00mlocate")) == 0 {
		return db.readMlocateDB(fb)
	}

	return
}
Esempio n. 16
0
// SetupUser changes the groups, gid, and uid for the user inside the container
func SetupUser(u string) error {
	// Set up defaults.
	defaultExecUser := user.ExecUser{
		Uid:  syscall.Getuid(),
		Gid:  syscall.Getgid(),
		Home: "/",
	}

	execUser, err := getUser(u, &defaultExecUser)
	if err != nil {
		return err
	}

	if err := syscall.Setgroups(execUser.Sgids); err != nil {
		return fmt.Errorf("setgroups %s", err)
	}

	if err := system.Setgid(execUser.Gid); err != nil {
		return fmt.Errorf("setgid %s", err)
	}

	if err := system.Setuid(execUser.Uid); err != nil {
		return fmt.Errorf("setuid %s", err)
	}

	// if we didn't get HOME already, set it based on the user's HOME
	if envHome := os.Getenv("HOME"); envHome == "" {
		if err := os.Setenv("HOME", execUser.Home); err != nil {
			return fmt.Errorf("set HOME %s", err)
		}
	}

	os.Setenv("USER", u)

	return nil
}
Esempio n. 17
0
// setupUser changes the groups, gid, and uid for the user inside the container
// copy from libcontainer, cause not it's private
func setupUser(userSpec string) error {
	// Set up defaults.
	defaultExecUser := user.ExecUser{
		Uid:  syscall.Getuid(),
		Gid:  syscall.Getgid(),
		Home: "/",
	}
	passwdPath, err := user.GetPasswdPath()
	if err != nil {
		return err
	}
	groupPath, err := user.GetGroupPath()
	if err != nil {
		return err
	}
	execUser, err := user.GetExecUserPath(userSpec, &defaultExecUser, passwdPath, groupPath)
	if err != nil {
		return err
	}
	if err := syscall.Setgroups(execUser.Sgids); err != nil {
		return err
	}
	if err := system.Setgid(execUser.Gid); err != nil {
		return err
	}
	if err := system.Setuid(execUser.Uid); err != nil {
		return err
	}
	// if we didn't get HOME already, set it based on the user's HOME
	if envHome := os.Getenv("HOME"); envHome == "" {
		if err := os.Setenv("HOME", execUser.Home); err != nil {
			return err
		}
	}
	return nil
}
Esempio n. 18
0
// Current returns the curreng  group information (from getgid())
func Current() (*Group, error) {
	return lookup(syscall.Getgid(), "", false)
}
Esempio n. 19
0
func TestHello(t *testing.T) {
	tmp := tempdir.New(t)
	defer tmp.Cleanup()

	filesys := setup_fs(t)

	mnt, err := fstestutil.MountedT(t, filesys)
	if err != nil {
		t.Fatalf("Mount fail: %v\n", err)
	}
	defer mnt.Close()

	fi, err := os.Stat(mnt.Dir)
	if err != nil {
		t.Fatalf("root getattr failed with %v", err)
	}
	mode := fi.Mode()
	if (mode & os.ModeType) != os.ModeDir {
		t.Errorf("root is not a directory: %#v", fi)
	}
	if mode.Perm() != 0555 {
		t.Errorf("root has weird access mode: %v", mode.Perm())
	}
	switch stat := fi.Sys().(type) {
	case *syscall.Stat_t:
		if stat.Nlink != 1 {
			t.Errorf("root has wrong link count: %v", stat.Nlink)
		}
		if stat.Uid != uint32(syscall.Getuid()) {
			t.Errorf("root has wrong uid: %d", stat.Uid)
		}
		if stat.Gid != uint32(syscall.Getgid()) {
			t.Errorf("root has wrong gid: %d", stat.Gid)
		}
		if stat.Gid != uint32(syscall.Getgid()) {
			t.Errorf("root has wrong gid: %d", stat.Gid)
		}
	}

	f, err := os.Create(path.Join(mnt.Dir, "does-not-exist-yet"))
	if err == nil {
		f.Close()
		t.Errorf("root must be read-only")
	} else if err.(*os.PathError).Err != syscall.EROFS {
		t.Errorf("file create gave bad error: %v", err)
	}

	hello_path := path.Join(mnt.Dir, "hello")
	fi, err = os.Stat(hello_path)
	if err != nil {
		t.Fatalf("hello getattr failed with %v", err)
	}
	if fi.Name() != "hello" {
		t.Errorf("hello has weird name: %q", fi.Name())
	}
	if fi.Size() != 13 {
		t.Errorf("hello has weird size: %v", fi.Size())
	}
	// if fi.ModTime() != TIME_1 {
	// 	t.Errorf("hello has weird time: %v != %v", fi.ModTime(), TIME_1)
	// }
	mode = fi.Mode()
	if (mode & os.ModeType) != 0 {
		t.Errorf("hello is not a file: %#v", fi)
	}
	if mode.Perm() != 0444 {
		t.Errorf("hello has weird access mode: %v", mode.Perm())
	}
	switch stat := fi.Sys().(type) {
	case *syscall.Stat_t:
		if stat.Nlink != 1 {
			t.Errorf("hello has wrong link count: %v", stat.Nlink)
		}
		if stat.Uid != uint32(syscall.Getuid()) {
			t.Errorf("hello has wrong uid: %d", stat.Uid)
		}
		if stat.Gid != uint32(syscall.Getgid()) {
			t.Errorf("hello has wrong gid: %d", stat.Gid)
		}
		if stat.Gid != uint32(syscall.Getgid()) {
			t.Errorf("hello has wrong gid: %d", stat.Gid)
		}
		if stat.Blocks != 1 {
			t.Errorf("hello has weird blockcount: %v", stat.Blocks)
		}
	}

	f, err = os.Create(hello_path)
	if err == nil {
		f.Close()
		t.Errorf("hello must be read-only")
	} else if err.(*os.PathError).Err != syscall.EACCES {
		t.Errorf("hello open for write gave bad error: %v", err)
	}

	f, err = os.Open(hello_path)
	if err != nil {
		t.Fatalf("hello open failed with %v", err)
	}
	buf, err := ioutil.ReadAll(f)
	if err != nil {
		t.Errorf("hello read failed with %v", err)
	}
	if string(buf) != GREETING {
		t.Errorf("hello read wrong content: %q", string(buf))
	}
	err = f.Close()
	if err != nil {
		t.Fatalf("hello close failed with %v", err)
	}
}
Esempio n. 20
0
func isRoot() bool {
	return syscall.Getuid() == 0 || syscall.Geteuid() == 0 ||
		syscall.Getgid() == 0 || syscall.Getegid() == 0
}
Esempio n. 21
0
// SetupUser changes the groups, gid, and uid for the user inside the container
func SetupUser(u string) error {
	uid, gid, suppGids, home, err := user.GetUserGroupSupplementaryHome(u, syscall.Getuid(), syscall.Getgid(), "/")
	if err != nil {
		return fmt.Errorf("get supplementary groups %s", err)
	}

	if err := syscall.Setgroups(suppGids); err != nil {
		return fmt.Errorf("setgroups %s", err)
	}

	if err := syscall.Setgid(gid); err != nil {
		return fmt.Errorf("setgid %s", err)
	}

	if err := syscall.Setuid(uid); err != nil {
		return fmt.Errorf("setuid %s", err)
	}

	// if we didn't get HOME already, set it based on the user's HOME
	if envHome := os.Getenv("HOME"); envHome == "" {
		if err := os.Setenv("HOME", home); err != nil {
			return fmt.Errorf("set HOME %s", err)
		}
	}

	return nil
}
Esempio n. 22
0
// Getgid returns the numeric group id of the caller.
func Getgid() int { return syscall.Getgid() }
Esempio n. 23
0
// Activates the mitigation measurements.
func Activate(uid int, gid int, path string) {
	if !CanActivate() {
		panic("Cannot activate mitigation measurements!")
	}

	// chroot directory
	err := syscall.Chroot(path)
	if err != nil {
		panic(err)
	}

	// change directory to new /
	err = syscall.Chdir("/")
	if err != nil {
		panic(err)
	}

	// drop all other groups
	err = syscall.Setgroups([]int{gid})
	if err != nil {
		panic(err)
	}

	// verify the empty group list
	gids, err := syscall.Getgroups()
	if err != nil {
		panic("Could not read groups!")
	}
	if len(gids) > 1 {
		panic("Could not drop groups!")
	} else if len(gids) == 1 {
		if gids[0] != gid {
			panic("Could not drop foreign groups!")
		}
	}

	// change group
	err = syscall.Setgid(gid)
	if err != nil {
		panic(err)
	}

	// verify the group change
	ngid := syscall.Getgid()
	if ngid != gid {
		panic("Could not change group id!")
	}

	// change user
	err = syscall.Setuid(uid)
	if err != nil {
		panic(err)
	}

	// verify the user change
	nuid := syscall.Getuid()
	if nuid != uid {
		panic("Could not change user id!")
	}

	// now drop all environment variables
	os.Clearenv()
}
Esempio n. 24
0
func setupUser(container *libcontainer.Container) error {
	uid, gid, suppGids, err := user.GetUserGroupSupplementary(container.User, syscall.Getuid(), syscall.Getgid())
	if err != nil {
		return fmt.Errorf("GetUserGroupSupplementary %s", err)
	}
	if err := system.Setgroups(suppGids); err != nil {
		return fmt.Errorf("setgroups %s", err)
	}
	if err := system.Setgid(gid); err != nil {
		return fmt.Errorf("setgid %s", err)
	}
	if err := system.Setuid(uid); err != nil {
		return fmt.Errorf("setuid %s", err)
	}
	return nil
}
Esempio n. 25
0
func currentGroup() (*Group, error) {
	return lookupUnixGroup(syscall.Getgid(), "", false, buildGroup)
}
Esempio n. 26
0
// +build linux darwin

package overseer

//this file attempts to contain all posix
//specific stuff, that needs to be implemented
//in some other way on other OSs... TODO!

import (
	"os/exec"
	"syscall"
)

var (
	supported = true
	uid       = syscall.Getuid()
	gid       = syscall.Getgid()
	SIGUSR1   = syscall.SIGUSR1
	SIGUSR2   = syscall.SIGUSR2
	SIGTERM   = syscall.SIGTERM
)

func move(dst, src string) error {
	//HACK: we're shelling out to mv because linux
	//throws errors when crossing device boundaryes.
	//TODO see sys_posix_mv.go
	return exec.Command("mv", src, dst).Run()
}
Esempio n. 27
0
func unpackAndDropPrivs(snapFile, targetDir, rootDir string) error {

	d, err := clickdeb.Open(snapFile)
	if err != nil {
		return err
	}
	defer d.Close()

	if helpers.ShouldDropPrivs() {
		var dropPrivsUser string

		// first find out what user to use
		passFile := passwdFile(rootDir, "passwd")
		for _, dropPrivsUser = range dropPrivsUsers {
			_, err := readUID(dropPrivsUser, passFile)
			if err == nil {
				break
			}
		}

		// then get uid/gid
		uid, err := readUID(dropPrivsUser, passFile)
		if err != nil {
			return err
		}

		groupFile := passwdFile(rootDir, "group")
		gid, err := readUID(dropPrivsUser, groupFile)
		if err != nil {
			return err
		}

		if err := os.MkdirAll(targetDir, 0755); err != nil {
			return err
		}

		if err := os.Chown(targetDir, uid, gid); err != nil {
			return err
		}

		// Setuid and Setgid only apply to the current Linux thread, so make
		// sure we don't get moved.
		runtime.LockOSThread()

		// run prctl(PR_SET_NO_NEW_PRIVS)
		rc := C.prctl_no_new_privs()
		if rc < 0 {
			return fmt.Errorf("prctl(PR_SET_NO_NEW_PRIVS) failed with %v", rc)
		}

		if err := syscall.Setgroups([]int{gid}); err != nil {
			return fmt.Errorf("Setgroups([]{%d}) call failed: %v", gid, err)
		}

		if err := setgid(gid); err != nil {
			return fmt.Errorf("Setgid(%d) call failed: %v", gid, err)
		}
		if err := setuid(uid); err != nil {
			return fmt.Errorf("Setuid(%d) call failed: %v", uid, err)
		}

		// extra paranoia
		if syscall.Getuid() != uid || syscall.Getgid() != gid {
			return fmt.Errorf("Dropping privileges failed, uid is %v, gid is %v", syscall.Getuid(), syscall.Getgid())
		}
	}

	return d.UnpackAll(targetDir)
}
Esempio n. 28
0
func currentGroup() (*Group, error) {
	return lookupUnixGid(syscall.Getgid())
}
Esempio n. 29
0
func setupUser(container *libcontainer.Container) error {
	switch container.User {
	case "root", "":
		if err := system.Setgroups(nil); err != nil {
			return err
		}
		if err := system.Setresgid(0, 0, 0); err != nil {
			return err
		}
		if err := system.Setresuid(0, 0, 0); err != nil {
			return err
		}
	default:
		uid, gid, suppGids, err := user.GetUserGroupSupplementary(container.User, syscall.Getuid(), syscall.Getgid())
		if err != nil {
			return err
		}
		if err := system.Setgroups(suppGids); err != nil {
			return err
		}
		if err := system.Setgid(gid); err != nil {
			return err
		}
		if err := system.Setuid(uid); err != nil {
			return err
		}
	}
	return nil
}
Esempio n. 30
0
// CurrentGroup looks up the current user's group by their primary group id's
// entry in /etc/passwd. If the group cannot be found (or there is no
// /etc/group file on the filesystem), then CurrentGroup returns an error.
func CurrentGroup() (Group, error) {
	return LookupGid(syscall.Getgid())
}