* A very dirty hack to make setuid installations a bit nicer to use.

Previously there was the problem that all files read by nix-env
  etc. should be reachable and readable by the Nix user.  So for
  instance building a Nix expression in your home directory meant that
  the home directory should have at least g+x or o+x permission so
  that the Nix user could reach the Nix expression.  Now we just
  switch back to the original user just prior to reading sources and
  the like.  The places where this happens are somewhat arbitrary,
  however.  Any scope that has a live SwitchToOriginalUser object in
  it is executed as the original user.

* Back out r1385.  setreuid() sets the saved uid to the new
  real/effective uid, which prevents us from switching back to the
  original uid.  setresuid() doesn't have this problem (although the
  manpage has a bug: specifying -1 for the saved uid doesn't leave it
  unchanged; an explicit value must be specified).
This commit is contained in:
Eelco Dolstra 2004-09-09 21:12:53 +00:00
parent 5396304c73
commit 47f87072ad
7 changed files with 78 additions and 19 deletions

View file

@ -151,10 +151,10 @@ if test "$setuid_hack" = "yes"; then
AC_DEFINE(SETUID_HACK, 1, [whether to install Nix setuid]) AC_DEFINE(SETUID_HACK, 1, [whether to install Nix setuid])
fi fi
AC_CHECK_FUNC(setreuid, [HAVE_SETREUID=1], [HAVE_SETREUID=]) AC_CHECK_FUNC(setresuid, [HAVE_SETRESUID=1], [HAVE_SETRESUID=])
AM_CONDITIONAL(HAVE_SETREUID, test "$HAVE_SETREUID" = "1") AM_CONDITIONAL(HAVE_SETRESUID, test "$HAVE_SETRESUID" = "1")
if test "$HAVE_SETREUID" = "1"; then if test "$HAVE_SETRESUID" = "1"; then
AC_DEFINE(HAVE_SETREUID, 1, [whether we have setreuid()]) AC_DEFINE(HAVE_SETRESUID, 1, [whether we have setresuid()])
fi fi
AC_ARG_WITH(nix-user, AC_HELP_STRING([--with-nix-user=USER], AC_ARG_WITH(nix-user, AC_HELP_STRING([--with-nix-user=USER],

View file

@ -4,7 +4,7 @@ SUBDIRS = bin2c boost libutil libstore libmain nix-store nix-hash \
SETUID_PROGS = nix-store nix-instantiate nix-env SETUID_PROGS = nix-store nix-instantiate nix-env
install-exec-hook: install-exec-hook:
if SETUID_HACK if SETUID_HACK
if HAVE_SETREUID if HAVE_SETRESUID
cd $(DESTDIR)$(bindir) && chown @NIX_USER@ $(SETUID_PROGS) \ cd $(DESTDIR)$(bindir) && chown @NIX_USER@ $(SETUID_PROGS) \
&& chgrp @NIX_GROUP@ $(SETUID_PROGS) && chmod ug+s $(SETUID_PROGS) && chgrp @NIX_GROUP@ $(SETUID_PROGS) && chmod ug+s $(SETUID_PROGS)
else else

View file

@ -106,6 +106,8 @@ static Expr parse(EvalState & state,
Expr parseExprFromFile(EvalState & state, Path path) Expr parseExprFromFile(EvalState & state, Path path)
{ {
SwitchToOriginalUser sw;
assert(path[0] == '/'); assert(path[0] == '/');
#if 0 #if 0

View file

@ -169,9 +169,14 @@ static void initAndRun(int argc, char * * argv)
} }
#if HAVE_SETREUID static bool haveSwitched;
#define _setuid(uid) setreuid(uid, uid) static uid_t savedUid, nixUid;
#define _setgid(gid) setregid(gid, gid) static gid_t savedGid, nixGid;
#if HAVE_SETRESUID
#define _setuid(uid) setresuid(uid, uid, savedUid)
#define _setgid(gid) setresgid(gid, gid, savedGid)
#else #else
/* Only works properly when run by root. */ /* Only works properly when run by root. */
#define _setuid(uid) setuid(uid) #define _setuid(uid) setuid(uid)
@ -179,6 +184,37 @@ static void initAndRun(int argc, char * * argv)
#endif #endif
SwitchToOriginalUser::SwitchToOriginalUser()
{
#if SETUID_HACK && HAVE_SETRESUID
/* Temporarily switch the effective uid/gid back to the saved
uid/gid (which is the uid/gid of the user that executed the Nix
program; it's *not* the real uid/gid, since we changed that to
the Nix user in switchToNixUser()). */
if (haveSwitched) {
if (setuid(savedUid) == -1)
throw SysError(format("temporarily restoring uid to `%1%'") % savedUid);
if (setgid(savedGid) == -1)
throw SysError(format("temporarily restoring gid to `%1%'") % savedGid);
}
#endif
}
SwitchToOriginalUser::~SwitchToOriginalUser()
{
#if SETUID_HACK && HAVE_SETRESUID
/* Switch the effective uid/gid back to the Nix user. */
if (haveSwitched) {
if (setuid(nixUid) == -1)
throw SysError(format("restoring uid to `%1%'") % nixUid);
if (setgid(nixGid) == -1)
throw SysError(format("restoring gid to `%1%'") % nixGid);
}
#endif
}
void switchToNixUser() void switchToNixUser()
{ {
#if SETUID_HACK #if SETUID_HACK
@ -208,7 +244,7 @@ void switchToNixUser()
/* !!! Apparently it is unspecified whether getgroups() includes /* !!! Apparently it is unspecified whether getgroups() includes
the effective gid. In that case the following test is always the effective gid. In that case the following test is always
true *if* the program is installed setgid (which we do when we true *if* the program is installed setgid (which we do when we
have setreuid()). On Linux this doesn't appear to be the have setresuid()). On Linux this doesn't appear to be the
case, but we should switch to the real gid before doing this case, but we should switch to the real gid before doing this
test, and then switch back to the saved gid. */ test, and then switch back to the saved gid. */
@ -227,13 +263,14 @@ void switchToNixUser()
return; return;
} }
savedUid = getuid();
savedGid = getgid();
/* Set the real, effective and saved gids to gr->gr_gid. Also /* Set the real, effective and saved gids to gr->gr_gid. Also
make very sure that this succeeded. We switch the gid first make very sure that this succeeded. We switch the gid first
because we cannot do it after we have dropped root uid. */ because we cannot do it after we have dropped root uid. */
if (_setgid(gr->gr_gid) != 0 || nixGid = gr->gr_gid;
getgid() != gr->gr_gid || if (_setgid(nixGid) != 0 || getgid() != nixGid || getegid() != nixGid) {
getegid() != gr->gr_gid)
{
cerr << format("unable to set gid to `%1%'\n") % NIX_GROUP; cerr << format("unable to set gid to `%1%'\n") % NIX_GROUP;
exit(1); exit(1);
} }
@ -248,14 +285,14 @@ void switchToNixUser()
/* This will drop all root privileges, setting the real, effective /* This will drop all root privileges, setting the real, effective
and saved uids to pw->pw_uid. Also make very sure that this and saved uids to pw->pw_uid. Also make very sure that this
succeeded.*/ succeeded.*/
if (_setuid(pw->pw_uid) != 0 || nixUid = pw->pw_uid;
getuid() != pw->pw_uid || if (_setuid(nixUid) != 0 || getuid() != nixUid || geteuid() != nixUid) {
geteuid() != pw->pw_uid)
{
cerr << format("unable to set uid to `%1%'\n") % NIX_USER; cerr << format("unable to set uid to `%1%'\n") % NIX_USER;
exit(1); exit(1);
} }
haveSwitched = true;
#endif #endif
} }

View file

@ -157,7 +157,10 @@ void copyPath(const Path & src, const Path & dst)
CopySink sink; CopySink sink;
sink.fd = pipe.writeSide; sink.fd = pipe.writeSide;
dumpPath(src, sink); {
SwitchToOriginalUser sw;
dumpPath(src, sink);
}
/* Wait for the child to finish. */ /* Wait for the child to finish. */
int status = pid.wait(true); int status = pid.wait(true);
@ -421,7 +424,11 @@ Path addToStore(const Path & _srcPath)
Path srcPath(absPath(_srcPath)); Path srcPath(absPath(_srcPath));
debug(format("adding `%1%' to the store") % srcPath); debug(format("adding `%1%' to the store") % srcPath);
Hash h = hashPath(srcPath); Hash h;
{
SwitchToOriginalUser sw;
h = hashPath(srcPath);
}
string baseName = baseNameOf(srcPath); string baseName = baseNameOf(srcPath);
Path dstPath = canonPath(nixStore + "/" + (string) h + "-" + baseName); Path dstPath = canonPath(nixStore + "/" + (string) h + "-" + baseName);

View file

@ -246,4 +246,14 @@ string statusToString(int status);
bool statusOk(int status); bool statusOk(int status);
/* !!! HACK HACK HACK - this should be in shared.hh, but it's to
facilitate a quick hack - will remove this eventually (famous last
words). */
struct SwitchToOriginalUser
{
SwitchToOriginalUser();
~SwitchToOriginalUser();
};
#endif /* !__UTIL_H */ #endif /* !__UTIL_H */

View file

@ -600,6 +600,7 @@ static void opSwitchProfile(Globals & globals,
Path profile = opArgs.front(); Path profile = opArgs.front();
Path profileLink = getHomeDir() + "/.nix-profile"; Path profileLink = getHomeDir() + "/.nix-profile";
SwitchToOriginalUser sw;
switchLink(profileLink, profile); switchLink(profileLink, profile);
} }
@ -698,6 +699,7 @@ static void opDefaultExpr(Globals & globals,
Path defNixExpr = absPath(opArgs.front()); Path defNixExpr = absPath(opArgs.front());
Path defNixExprLink = getDefNixExprPath(); Path defNixExprLink = getDefNixExprPath();
SwitchToOriginalUser sw;
switchLink(defNixExprLink, defNixExpr); switchLink(defNixExprLink, defNixExpr);
} }
@ -772,6 +774,7 @@ void run(Strings args)
if (!op) throw UsageError("no operation specified"); if (!op) throw UsageError("no operation specified");
if (globals.profile == "") { if (globals.profile == "") {
SwitchToOriginalUser sw;
Path profileLink = getHomeDir() + "/.nix-profile"; Path profileLink = getHomeDir() + "/.nix-profile";
globals.profile = pathExists(profileLink) globals.profile = pathExists(profileLink)
? absPath(readLink(profileLink), dirOf(profileLink)) ? absPath(readLink(profileLink), dirOf(profileLink))