func (d *AllocDir) dropDirPermissions(path string) error { // Can't do anything if not root. if unix.Geteuid() != 0 { return nil } u, err := user.Lookup("nobody") if err != nil { return err } uid, err := getUid(u) if err != nil { return err } gid, err := getGid(u) if err != nil { return err } if err := os.Chown(path, uid, gid); err != nil { return fmt.Errorf("Couldn't change owner/group of %v to (uid: %v, gid: %v): %v", path, uid, gid, err) } if err := os.Chmod(path, 0777); err != nil { return fmt.Errorf("Chmod(%v) failed: %v", path, err) } return nil }
func (d *ExecDriver) Fingerprint(cfg *config.Config, node *structs.Node) (bool, error) { // Get the current status so that we can log any debug messages only if the // state changes _, currentlyEnabled := node.Attributes[execDriverAttr] // Only enable if cgroups are available and we are root if _, ok := node.Attributes["unique.cgroup.mountpoint"]; !ok { if currentlyEnabled { d.logger.Printf("[DEBUG] driver.exec: cgroups unavailable, disabling") } delete(node.Attributes, execDriverAttr) return false, nil } else if unix.Geteuid() != 0 { if currentlyEnabled { d.logger.Printf("[DEBUG] driver.exec: must run as root user, disabling") } delete(node.Attributes, execDriverAttr) return false, nil } if !currentlyEnabled { d.logger.Printf("[DEBUG] driver.exec: exec driver is enabled") } node.Attributes[execDriverAttr] = "1" return true, nil }
// createSecretDir removes the secrets dir folder func (d *AllocDir) removeSecretDir(dir string) error { if unix.Geteuid() == 0 { if err := syscall.Unmount(dir, 0); err != nil { return os.NewSyscallError("unmount", err) } } return os.RemoveAll(dir) }
// createSecretDir creates the secrets dir folder at the given path using a // tmpfs func (d *AllocDir) createSecretDir(dir string) error { // Only mount the tmpfs if we are root if unix.Geteuid() == 0 { if err := os.MkdirAll(dir, 0777); err != nil { return err } var flags uintptr flags = syscall.MS_NOEXEC options := fmt.Sprintf("size=%dm", secretDirTmpfsSize) err := syscall.Mount("tmpfs", dir, "tmpfs", flags, options) return os.NewSyscallError("mount", err) } return os.MkdirAll(dir, 0777) }
// Globals var ( noModTime = false debugFUSE = false noSeek = false dirCacheTime = 5 * 60 * time.Second // mount options readOnly = false allowNonEmpty = false allowRoot = false allowOther = false defaultPermissions = false writebackCache = false maxReadAhead fs.SizeSuffix = 128 * 1024 umask = 0 uid = uint32(unix.Geteuid()) gid = uint32(unix.Getegid()) // foreground = false // default permissions for directories - modified by umask in Mount dirPerms = os.FileMode(0777) filePerms = os.FileMode(0666) ) func init() { umask = unix.Umask(0) // read the umask unix.Umask(umask) // set it back to what it was cmd.Root.AddCommand(commandDefintion) commandDefintion.Flags().BoolVarP(&noModTime, "no-modtime", "", noModTime, "Don't read the modification time (can speed things up).") commandDefintion.Flags().BoolVarP(&debugFUSE, "debug-fuse", "", debugFUSE, "Debug the FUSE internals - needs -v.") commandDefintion.Flags().BoolVarP(&noSeek, "no-seek", "", noSeek, "Don't allow seeking in files.") commandDefintion.Flags().DurationVarP(&dirCacheTime, "dir-cache-time", "", dirCacheTime, "Time to cache directory entries for.")