From 47f87072ad42338a9b6397a250abf2775d051d8e Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Thu, 9 Sep 2004 21:12:53 +0000 Subject: [PATCH] * A very dirty hack to make setuid installations a bit nicer to use. Previously there was the problem that all files read by nix-env etc. should be reachable and readable by the Nix user. So for instance building a Nix expression in your home directory meant that the home directory should have at least g+x or o+x permission so that the Nix user could reach the Nix expression. Now we just switch back to the original user just prior to reading sources and the like. The places where this happens are somewhat arbitrary, however. Any scope that has a live SwitchToOriginalUser object in it is executed as the original user. * Back out r1385. setreuid() sets the saved uid to the new real/effective uid, which prevents us from switching back to the original uid. setresuid() doesn't have this problem (although the manpage has a bug: specifying -1 for the saved uid doesn't leave it unchanged; an explicit value must be specified). --- configure.ac | 8 +++--- src/Makefile.am | 2 +- src/libexpr/parser.cc | 2 ++ src/libmain/shared.cc | 61 ++++++++++++++++++++++++++++++++++--------- src/libstore/store.cc | 11 ++++++-- src/libutil/util.hh | 10 +++++++ src/nix-env/main.cc | 3 +++ 7 files changed, 78 insertions(+), 19 deletions(-) diff --git a/configure.ac b/configure.ac index 6b041c165..2ba8e9238 100644 --- a/configure.ac +++ b/configure.ac @@ -151,10 +151,10 @@ if test "$setuid_hack" = "yes"; then AC_DEFINE(SETUID_HACK, 1, [whether to install Nix setuid]) fi -AC_CHECK_FUNC(setreuid, [HAVE_SETREUID=1], [HAVE_SETREUID=]) -AM_CONDITIONAL(HAVE_SETREUID, test "$HAVE_SETREUID" = "1") -if test "$HAVE_SETREUID" = "1"; then - AC_DEFINE(HAVE_SETREUID, 1, [whether we have setreuid()]) +AC_CHECK_FUNC(setresuid, [HAVE_SETRESUID=1], [HAVE_SETRESUID=]) +AM_CONDITIONAL(HAVE_SETRESUID, test "$HAVE_SETRESUID" = "1") +if test "$HAVE_SETRESUID" = "1"; then + AC_DEFINE(HAVE_SETRESUID, 1, [whether we have setresuid()]) fi AC_ARG_WITH(nix-user, AC_HELP_STRING([--with-nix-user=USER], diff --git a/src/Makefile.am b/src/Makefile.am index b7eb905f9..563738217 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -4,7 +4,7 @@ SUBDIRS = bin2c boost libutil libstore libmain nix-store nix-hash \ SETUID_PROGS = nix-store nix-instantiate nix-env install-exec-hook: if SETUID_HACK -if HAVE_SETREUID +if HAVE_SETRESUID cd $(DESTDIR)$(bindir) && chown @NIX_USER@ $(SETUID_PROGS) \ && chgrp @NIX_GROUP@ $(SETUID_PROGS) && chmod ug+s $(SETUID_PROGS) else diff --git a/src/libexpr/parser.cc b/src/libexpr/parser.cc index 90e008473..763faacf7 100644 --- a/src/libexpr/parser.cc +++ b/src/libexpr/parser.cc @@ -106,6 +106,8 @@ static Expr parse(EvalState & state, Expr parseExprFromFile(EvalState & state, Path path) { + SwitchToOriginalUser sw; + assert(path[0] == '/'); #if 0 diff --git a/src/libmain/shared.cc b/src/libmain/shared.cc index d0ea3aab8..5affce77e 100644 --- a/src/libmain/shared.cc +++ b/src/libmain/shared.cc @@ -169,9 +169,14 @@ static void initAndRun(int argc, char * * argv) } -#if HAVE_SETREUID -#define _setuid(uid) setreuid(uid, uid) -#define _setgid(gid) setregid(gid, gid) +static bool haveSwitched; +static uid_t savedUid, nixUid; +static gid_t savedGid, nixGid; + + +#if HAVE_SETRESUID +#define _setuid(uid) setresuid(uid, uid, savedUid) +#define _setgid(gid) setresgid(gid, gid, savedGid) #else /* Only works properly when run by root. */ #define _setuid(uid) setuid(uid) @@ -179,6 +184,37 @@ static void initAndRun(int argc, char * * argv) #endif +SwitchToOriginalUser::SwitchToOriginalUser() +{ +#if SETUID_HACK && HAVE_SETRESUID + /* Temporarily switch the effective uid/gid back to the saved + uid/gid (which is the uid/gid of the user that executed the Nix + program; it's *not* the real uid/gid, since we changed that to + the Nix user in switchToNixUser()). */ + if (haveSwitched) { + if (setuid(savedUid) == -1) + throw SysError(format("temporarily restoring uid to `%1%'") % savedUid); + if (setgid(savedGid) == -1) + throw SysError(format("temporarily restoring gid to `%1%'") % savedGid); + } +#endif +} + + +SwitchToOriginalUser::~SwitchToOriginalUser() +{ +#if SETUID_HACK && HAVE_SETRESUID + /* Switch the effective uid/gid back to the Nix user. */ + if (haveSwitched) { + if (setuid(nixUid) == -1) + throw SysError(format("restoring uid to `%1%'") % nixUid); + if (setgid(nixGid) == -1) + throw SysError(format("restoring gid to `%1%'") % nixGid); + } +#endif +} + + void switchToNixUser() { #if SETUID_HACK @@ -208,7 +244,7 @@ void switchToNixUser() /* !!! Apparently it is unspecified whether getgroups() includes the effective gid. In that case the following test is always true *if* the program is installed setgid (which we do when we - have setreuid()). On Linux this doesn't appear to be the + have setresuid()). On Linux this doesn't appear to be the case, but we should switch to the real gid before doing this test, and then switch back to the saved gid. */ @@ -227,13 +263,14 @@ void switchToNixUser() return; } + savedUid = getuid(); + savedGid = getgid(); + /* Set the real, effective and saved gids to gr->gr_gid. Also make very sure that this succeeded. We switch the gid first because we cannot do it after we have dropped root uid. */ - if (_setgid(gr->gr_gid) != 0 || - getgid() != gr->gr_gid || - getegid() != gr->gr_gid) - { + nixGid = gr->gr_gid; + if (_setgid(nixGid) != 0 || getgid() != nixGid || getegid() != nixGid) { cerr << format("unable to set gid to `%1%'\n") % NIX_GROUP; exit(1); } @@ -248,14 +285,14 @@ void switchToNixUser() /* This will drop all root privileges, setting the real, effective and saved uids to pw->pw_uid. Also make very sure that this succeeded.*/ - if (_setuid(pw->pw_uid) != 0 || - getuid() != pw->pw_uid || - geteuid() != pw->pw_uid) - { + nixUid = pw->pw_uid; + if (_setuid(nixUid) != 0 || getuid() != nixUid || geteuid() != nixUid) { cerr << format("unable to set uid to `%1%'\n") % NIX_USER; exit(1); } + haveSwitched = true; + #endif } diff --git a/src/libstore/store.cc b/src/libstore/store.cc index 110ec2b48..5b471a1d9 100644 --- a/src/libstore/store.cc +++ b/src/libstore/store.cc @@ -157,7 +157,10 @@ void copyPath(const Path & src, const Path & dst) CopySink sink; sink.fd = pipe.writeSide; - dumpPath(src, sink); + { + SwitchToOriginalUser sw; + dumpPath(src, sink); + } /* Wait for the child to finish. */ int status = pid.wait(true); @@ -421,7 +424,11 @@ Path addToStore(const Path & _srcPath) Path srcPath(absPath(_srcPath)); debug(format("adding `%1%' to the store") % srcPath); - Hash h = hashPath(srcPath); + Hash h; + { + SwitchToOriginalUser sw; + h = hashPath(srcPath); + } string baseName = baseNameOf(srcPath); Path dstPath = canonPath(nixStore + "/" + (string) h + "-" + baseName); diff --git a/src/libutil/util.hh b/src/libutil/util.hh index 13f28dc22..ae5b4882e 100644 --- a/src/libutil/util.hh +++ b/src/libutil/util.hh @@ -246,4 +246,14 @@ string statusToString(int status); bool statusOk(int status); +/* !!! HACK HACK HACK - this should be in shared.hh, but it's to + facilitate a quick hack - will remove this eventually (famous last + words). */ +struct SwitchToOriginalUser +{ + SwitchToOriginalUser(); + ~SwitchToOriginalUser(); +}; + + #endif /* !__UTIL_H */ diff --git a/src/nix-env/main.cc b/src/nix-env/main.cc index 3700f4489..14aa13b86 100644 --- a/src/nix-env/main.cc +++ b/src/nix-env/main.cc @@ -600,6 +600,7 @@ static void opSwitchProfile(Globals & globals, Path profile = opArgs.front(); Path profileLink = getHomeDir() + "/.nix-profile"; + SwitchToOriginalUser sw; switchLink(profileLink, profile); } @@ -698,6 +699,7 @@ static void opDefaultExpr(Globals & globals, Path defNixExpr = absPath(opArgs.front()); Path defNixExprLink = getDefNixExprPath(); + SwitchToOriginalUser sw; switchLink(defNixExprLink, defNixExpr); } @@ -772,6 +774,7 @@ void run(Strings args) if (!op) throw UsageError("no operation specified"); if (globals.profile == "") { + SwitchToOriginalUser sw; Path profileLink = getHomeDir() + "/.nix-profile"; globals.profile = pathExists(profileLink) ? absPath(readLink(profileLink), dirOf(profileLink))