From 210be7b72d9a036586667f9a904073bac0b7b34a Mon Sep 17 00:00:00 2001 From: Michael Stone Date: Sat, 11 Apr 2009 09:01:57 +0000 Subject: Permit reuse of uids. --- diff --git a/rainbow/bin/rainbow-run b/rainbow/bin/rainbow-run index ec3dcf6..fc68e4d 100755 --- a/rainbow/bin/rainbow-run +++ b/rainbow/bin/rainbow-run @@ -114,7 +114,9 @@ def main(): data_id = check_data_id(opts) assistant = check_assistant(opts) - args = (report, spool, env, argv, cwd, pset, safe_fds, uid, gid, groups, data_id, assistant) + resume_uid = None + + args = (report, spool, env, argv, cwd, pset, safe_fds, uid, gid, resume_uid, groups, [data_id], assistant) report(1, 'rainbow:\n%s', pformat(args)) unshare(CLONE_NEWNS) diff --git a/rainbow/rainbow/inject.py b/rainbow/rainbow/inject.py index 9fd3ab8..8ff9a8c 100644 --- a/rainbow/rainbow/inject.py +++ b/rainbow/rainbow/inject.py @@ -1,7 +1,7 @@ import os from os import R_OK, W_OK, X_OK, fork, symlink, unlink, O_CREAT, O_EXCL, chown, chmod from os import setgroups, setgid, setuid, chdir, umask, execvpe, waitpid, WEXITSTATUS -from os import getpid, getuid, _exit, rename +from os import getpid, getuid, _exit, rename, readlink from os.path import join, basename, realpath, lexists from subprocess import check_call, Popen, PIPE from stat import S_IFDIR @@ -53,7 +53,7 @@ def reserve_uid(log, spool): def reserve_group(log, spool, group): return reserve_tag(log, spool, group, 'bundle_id_to_gid', 'gid', 'gids', 10000, 65534, 1) -def grab_home(_, spool, uid, _, owner_gid): +def grab_home(_, spool, uid, __, owner_gid): home = join(spool, 'uid_to_home_dir', str(uid)) make_dirs(home, uid, owner_gid, 0770) chown(home, uid, owner_gid) @@ -62,7 +62,7 @@ def grab_home(_, spool, uid, _, owner_gid): chmod(home, 02770) return home -def configure_home(_, spool, home, owner_uid, _, _, gid, data_group_to_gid): +def configure_home(_, spool, home, owner_uid, __, ___, gid, data_group_to_gid): for group, gid in data_group_to_gid: path = join(spool, 'gid_to_data_dir', str(gid)) make_dirs(path, owner_uid, gid, 0770) @@ -179,11 +179,11 @@ def check_spool(spool, owner_uid, owner_gid): ck = Checker(join(spool, frag), owner_uid, owner_gid) assert ck.positive(R_OK | X_OK, S_IFDIR) -def check_owner(_, _): +def check_owner(_, __): return True -def check_home_dirs(uid, gid, home): - for frag in ('instance', 'data', 'tmp'): +def check_home_dirs(uid, gid, home, data_group_to_gid): + for frag, _ in data_group_to_gid: ck = Checker(join(home, frag), uid, gid) assert ck.positive(R_OK | W_OK | X_OK, S_IFDIR) @@ -233,8 +233,12 @@ def configure_xephyr(_, spool, owner_gid, uid, env, safe_fds): newenv = {'DISPLAY' : ':%d' % display, 'XAUTHORITY' : auth_path} return newenv +def check_uid(_, spool, owner_uid, uid): + assert 10000 <= uid and uid <= 65534 + assert readlink(join(spool, 'uid_to_owner_uid', str(uid))) == str(owner_uid) + def inject(log, spool, env, argv, cwd, pset, safe_fds, owner_uid, owner_gid, - groups, data_groups, assistant): + uid, groups, data_groups, assistant): # Note: exceptions are intended to bubble up to the caller and should # terminate execution. check_data_groups(data_groups) @@ -243,17 +247,23 @@ def inject(log, spool, env, argv, cwd, pset, safe_fds, owner_uid, owner_gid, check_spool(spool, owner_uid, owner_gid) - uid, gid = reserve_uid(log, spool) - data_group_to_gid = [(group, reserve_group(log, spool, group)) for group in data_groups] + if not uid: + uid, gid = reserve_uid(log, spool) + home = grab_home(log, spool, uid, gid, owner_gid) + else: + check_uid(log, spool, owner_uid, uid) + pw = getpwuid(uid) + gid, home = pw.pw_gid, pw.pw_dir - home = grab_home(log, spool, uid, gid, owner_gid, ) + # XXX: Need to verify ownership and membership before joining data groups. + data_group_to_gid = [(group, reserve_group(log, spool, group)) for group in data_groups] configure_home(log, spool, home, owner_uid, owner_gid, uid, gid, data_group_to_gid) if cwd is None: cwd = home check_cwd(uid, gid, cwd) - check_home_dirs(uid, gid, home) - check_home_dirs(owner_uid, owner_gid, home) + check_home_dirs(uid, gid, home, data_group_to_gid) + check_home_dirs(owner_uid, owner_gid, home, data_group_to_gid) check_home(uid, gid, home) groups = configure_groups(log, owner_uid, groups, gid, data_group_to_gid, pset) -- cgit v0.9.1