Web   ·   Wiki   ·   Activities   ·   Blog   ·   Lists   ·   Chat   ·   Meeting   ·   Bugs   ·   Git   ·   Translate   ·   Archive   ·   People   ·   Donate
summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Stone <michael@laptop.org>2009-04-11 09:01:57 (GMT)
committer Michael Stone <michael@laptop.org>2009-04-11 09:21:08 (GMT)
commit210be7b72d9a036586667f9a904073bac0b7b34a (patch)
tree4942ee88015466937f08e94a0dd5e3b171b1fb7f
parent4c16e2af14a8c13d718f3505a18dfe51e187925e (diff)
Permit reuse of uids.
Diffstat
-rwxr-xr-xrainbow/bin/rainbow-run4
-rw-r--r--rainbow/rainbow/inject.py34
2 files changed, 25 insertions, 13 deletions
diff --git a/rainbow/bin/rainbow-run b/rainbow/bin/rainbow-run
index ec3dcf6..fc68e4d 100755
--- a/rainbow/bin/rainbow-run
+++ b/rainbow/bin/rainbow-run
@@ -114,7 +114,9 @@ def main():
data_id = check_data_id(opts)
assistant = check_assistant(opts)
- args = (report, spool, env, argv, cwd, pset, safe_fds, uid, gid, groups, data_id, assistant)
+ resume_uid = None
+
+ args = (report, spool, env, argv, cwd, pset, safe_fds, uid, gid, resume_uid, groups, [data_id], assistant)
report(1, 'rainbow:\n%s', pformat(args))
unshare(CLONE_NEWNS)
diff --git a/rainbow/rainbow/inject.py b/rainbow/rainbow/inject.py
index 9fd3ab8..8ff9a8c 100644
--- a/rainbow/rainbow/inject.py
+++ b/rainbow/rainbow/inject.py
@@ -1,7 +1,7 @@
import os
from os import R_OK, W_OK, X_OK, fork, symlink, unlink, O_CREAT, O_EXCL, chown, chmod
from os import setgroups, setgid, setuid, chdir, umask, execvpe, waitpid, WEXITSTATUS
-from os import getpid, getuid, _exit, rename
+from os import getpid, getuid, _exit, rename, readlink
from os.path import join, basename, realpath, lexists
from subprocess import check_call, Popen, PIPE
from stat import S_IFDIR
@@ -53,7 +53,7 @@ def reserve_uid(log, spool):
def reserve_group(log, spool, group):
return reserve_tag(log, spool, group, 'bundle_id_to_gid', 'gid', 'gids', 10000, 65534, 1)
-def grab_home(_, spool, uid, _, owner_gid):
+def grab_home(_, spool, uid, __, owner_gid):
home = join(spool, 'uid_to_home_dir', str(uid))
make_dirs(home, uid, owner_gid, 0770)
chown(home, uid, owner_gid)
@@ -62,7 +62,7 @@ def grab_home(_, spool, uid, _, owner_gid):
chmod(home, 02770)
return home
-def configure_home(_, spool, home, owner_uid, _, _, gid, data_group_to_gid):
+def configure_home(_, spool, home, owner_uid, __, ___, gid, data_group_to_gid):
for group, gid in data_group_to_gid:
path = join(spool, 'gid_to_data_dir', str(gid))
make_dirs(path, owner_uid, gid, 0770)
@@ -179,11 +179,11 @@ def check_spool(spool, owner_uid, owner_gid):
ck = Checker(join(spool, frag), owner_uid, owner_gid)
assert ck.positive(R_OK | X_OK, S_IFDIR)
-def check_owner(_, _):
+def check_owner(_, __):
return True
-def check_home_dirs(uid, gid, home):
- for frag in ('instance', 'data', 'tmp'):
+def check_home_dirs(uid, gid, home, data_group_to_gid):
+ for frag, _ in data_group_to_gid:
ck = Checker(join(home, frag), uid, gid)
assert ck.positive(R_OK | W_OK | X_OK, S_IFDIR)
@@ -233,8 +233,12 @@ def configure_xephyr(_, spool, owner_gid, uid, env, safe_fds):
newenv = {'DISPLAY' : ':%d' % display, 'XAUTHORITY' : auth_path}
return newenv
+def check_uid(_, spool, owner_uid, uid):
+ assert 10000 <= uid and uid <= 65534
+ assert readlink(join(spool, 'uid_to_owner_uid', str(uid))) == str(owner_uid)
+
def inject(log, spool, env, argv, cwd, pset, safe_fds, owner_uid, owner_gid,
- groups, data_groups, assistant):
+ uid, groups, data_groups, assistant):
# Note: exceptions are intended to bubble up to the caller and should
# terminate execution.
check_data_groups(data_groups)
@@ -243,17 +247,23 @@ def inject(log, spool, env, argv, cwd, pset, safe_fds, owner_uid, owner_gid,
check_spool(spool, owner_uid, owner_gid)
- uid, gid = reserve_uid(log, spool)
- data_group_to_gid = [(group, reserve_group(log, spool, group)) for group in data_groups]
+ if not uid:
+ uid, gid = reserve_uid(log, spool)
+ home = grab_home(log, spool, uid, gid, owner_gid)
+ else:
+ check_uid(log, spool, owner_uid, uid)
+ pw = getpwuid(uid)
+ gid, home = pw.pw_gid, pw.pw_dir
- home = grab_home(log, spool, uid, gid, owner_gid, )
+ # XXX: Need to verify ownership and membership before joining data groups.
+ data_group_to_gid = [(group, reserve_group(log, spool, group)) for group in data_groups]
configure_home(log, spool, home, owner_uid, owner_gid, uid, gid, data_group_to_gid)
if cwd is None:
cwd = home
check_cwd(uid, gid, cwd)
- check_home_dirs(uid, gid, home)
- check_home_dirs(owner_uid, owner_gid, home)
+ check_home_dirs(uid, gid, home, data_group_to_gid)
+ check_home_dirs(owner_uid, owner_gid, home, data_group_to_gid)
check_home(uid, gid, home)
groups = configure_groups(log, owner_uid, groups, gid, data_group_to_gid, pset)
generated by cgit v0.9.1 at 2024-05-18 10:01:21 (GMT)