2003-07-04 15:42:03 +00:00
|
|
|
#include <iostream>
|
2003-07-24 08:53:43 +00:00
|
|
|
#include <cctype>
|
2003-07-04 15:42:03 +00:00
|
|
|
|
2004-03-27 17:58:04 +00:00
|
|
|
#include <sys/types.h>
|
|
|
|
#include <sys/stat.h>
|
|
|
|
#include <unistd.h>
|
|
|
|
|
* Setuid support for sharing a Nix installation between multiple
users.
If the configure flag `--enable-setuid' is used, the Nix programs
nix-env, nix-store, etc. are installed with the setuid bit turned on
so that they are executed as the user and group specified by
`--with-nix-user=USER' and `--with-nix-group=GROUP', respectively
(with defaults `nix' and `nix').
The setuid programs drop all special privileges if they are executed
by a user who is not a member of the Nix group.
The setuid feature is a quick hack to enable sharing of a Nix
installation between users who trust each other. It is not
generally secure, since any user in the Nix group can modify (by
building an appropriate derivation) any object in the store, and for
instance inject trojans into binaries used by other users.
The setuid programs are owned by root, not the Nix user. This is
because on Unix normal users cannot change the real uid, only the
effective uid. Many programs don't work properly when the real uid
differs from the effective uid. For instance, Perl will turn on
taint mode. However, the setuid programs drop all root privileges
immediately, changing all uids and gids to the Nix user and group.
2004-08-20 14:49:05 +00:00
|
|
|
#include <pwd.h>
|
|
|
|
#include <grp.h>
|
|
|
|
|
2003-07-04 15:42:03 +00:00
|
|
|
extern "C" {
|
|
|
|
#include <aterm2.h>
|
|
|
|
}
|
|
|
|
|
|
|
|
#include "globals.hh"
|
2005-01-31 21:20:59 +00:00
|
|
|
#include "gc.hh"
|
2006-03-01 16:36:35 +00:00
|
|
|
#include "store.hh"
|
2003-07-04 15:42:03 +00:00
|
|
|
#include "shared.hh"
|
|
|
|
|
|
|
|
#include "config.h"
|
|
|
|
|
|
|
|
|
2004-05-11 18:05:44 +00:00
|
|
|
volatile sig_atomic_t blockInt = 0;
|
|
|
|
|
|
|
|
|
2006-03-10 22:27:26 +00:00
|
|
|
static void sigintHandler(int signo)
|
2004-01-15 20:23:55 +00:00
|
|
|
{
|
2004-05-11 18:05:44 +00:00
|
|
|
if (!blockInt) {
|
|
|
|
_isInterrupted = 1;
|
|
|
|
blockInt = 1;
|
|
|
|
}
|
2004-01-15 20:23:55 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2005-02-01 12:36:25 +00:00
|
|
|
Path makeRootName(const Path & gcRoot, int & counter)
|
|
|
|
{
|
|
|
|
counter++;
|
|
|
|
if (counter == 1)
|
|
|
|
return gcRoot;
|
|
|
|
else
|
|
|
|
return (format("%1%-%2%") % gcRoot % counter).str();
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
void printGCWarning()
|
|
|
|
{
|
|
|
|
static bool warned = false;
|
|
|
|
if (!warned) {
|
|
|
|
printMsg(lvlInfo,
|
|
|
|
"warning: you did not specify `--add-root'; "
|
|
|
|
"the result might be removed by the garbage collector");
|
|
|
|
warned = true;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2006-03-10 22:27:26 +00:00
|
|
|
static void setLogType(string lt)
|
2004-03-22 20:53:49 +00:00
|
|
|
{
|
|
|
|
if (lt == "pretty") logType = ltPretty;
|
|
|
|
else if (lt == "escapes") logType = ltEscapes;
|
|
|
|
else if (lt == "flat") logType = ltFlat;
|
|
|
|
else throw UsageError("unknown log type");
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2005-01-31 21:20:59 +00:00
|
|
|
struct RemoveTempRoots
|
|
|
|
{
|
|
|
|
~RemoveTempRoots()
|
|
|
|
{
|
|
|
|
removeTempRoots();
|
|
|
|
}
|
|
|
|
};
|
|
|
|
|
|
|
|
|
2005-01-19 16:39:47 +00:00
|
|
|
void initDerivationsHelpers();
|
2004-10-29 11:22:49 +00:00
|
|
|
|
|
|
|
|
2003-07-04 15:42:03 +00:00
|
|
|
/* Initialize and reorder arguments, then call the actual argument
|
|
|
|
processor. */
|
|
|
|
static void initAndRun(int argc, char * * argv)
|
|
|
|
{
|
2004-05-04 12:15:30 +00:00
|
|
|
string root = getEnv("NIX_ROOT");
|
|
|
|
if (root != "") {
|
|
|
|
if (chroot(root.c_str()) != 0)
|
2004-02-14 21:44:18 +00:00
|
|
|
throw SysError(format("changing root to `%1%'") % root);
|
|
|
|
}
|
|
|
|
|
2003-07-04 15:42:03 +00:00
|
|
|
/* Setup Nix paths. */
|
2005-01-28 13:19:16 +00:00
|
|
|
nixStore = canonPath(getEnv("NIX_STORE_DIR", getEnv("NIX_STORE", NIX_STORE_DIR)));
|
2005-01-14 13:51:38 +00:00
|
|
|
nixDataDir = canonPath(getEnv("NIX_DATA_DIR", NIX_DATA_DIR));
|
|
|
|
nixLogDir = canonPath(getEnv("NIX_LOG_DIR", NIX_LOG_DIR));
|
|
|
|
nixStateDir = canonPath(getEnv("NIX_STATE_DIR", NIX_STATE_DIR));
|
2004-05-04 12:15:30 +00:00
|
|
|
nixDBPath = getEnv("NIX_DB_DIR", nixStateDir + "/db");
|
2005-02-01 22:07:48 +00:00
|
|
|
nixConfDir = canonPath(getEnv("NIX_CONF_DIR", NIX_CONF_DIR));
|
2006-07-20 13:21:37 +00:00
|
|
|
nixLibexecDir = canonPath(getEnv("NIX_LIBEXEC_DIR", NIX_LIBEXEC_DIR));
|
2004-03-27 17:58:04 +00:00
|
|
|
|
2006-08-10 20:19:13 +00:00
|
|
|
/* Get some settings from the configuration file. */
|
2006-07-06 15:30:37 +00:00
|
|
|
thisSystem = querySetting("system", SYSTEM);
|
2006-08-10 20:19:13 +00:00
|
|
|
{
|
|
|
|
int n;
|
|
|
|
if (!string2Int(querySetting("build-max-jobs", "1"), n) || n < 0)
|
|
|
|
throw Error("invalid value for configuration setting `build-max-jobs'");
|
|
|
|
maxBuildJobs = n;
|
|
|
|
}
|
2006-07-06 15:30:37 +00:00
|
|
|
|
2004-01-15 20:23:55 +00:00
|
|
|
/* Catch SIGINT. */
|
|
|
|
struct sigaction act, oact;
|
|
|
|
act.sa_handler = sigintHandler;
|
|
|
|
sigfillset(&act.sa_mask);
|
|
|
|
act.sa_flags = 0;
|
|
|
|
if (sigaction(SIGINT, &act, &oact))
|
|
|
|
throw SysError("installing handler for SIGINT");
|
2005-11-04 15:34:09 +00:00
|
|
|
if (sigaction(SIGTERM, &act, &oact))
|
|
|
|
throw SysError("installing handler for SIGTERM");
|
|
|
|
if (sigaction(SIGHUP, &act, &oact))
|
|
|
|
throw SysError("installing handler for SIGHUP");
|
2004-01-15 20:23:55 +00:00
|
|
|
|
2004-05-13 19:14:49 +00:00
|
|
|
/* Ignore SIGPIPE. */
|
|
|
|
act.sa_handler = SIG_IGN;
|
|
|
|
act.sa_flags = 0;
|
|
|
|
if (sigaction(SIGPIPE, &act, &oact))
|
|
|
|
throw SysError("ignoring SIGPIPE");
|
|
|
|
|
2004-09-09 14:16:02 +00:00
|
|
|
/* There is no privacy in the Nix system ;-) At least not for
|
|
|
|
now. In particular, store objects should be readable by
|
|
|
|
everybody. This prevents nasty surprises when using a shared
|
|
|
|
store (with the setuid() hack). */
|
|
|
|
umask(0022);
|
|
|
|
|
2004-03-22 20:53:49 +00:00
|
|
|
/* Process the NIX_LOG_TYPE environment variable. */
|
2004-05-04 12:15:30 +00:00
|
|
|
string lt = getEnv("NIX_LOG_TYPE");
|
|
|
|
if (lt != "") setLogType(lt);
|
2004-03-22 20:53:49 +00:00
|
|
|
|
2004-10-29 11:22:49 +00:00
|
|
|
/* ATerm stuff. !!! find a better place to put this */
|
2005-01-19 16:39:47 +00:00
|
|
|
initDerivationsHelpers();
|
2004-10-29 11:22:49 +00:00
|
|
|
|
2003-07-04 15:42:03 +00:00
|
|
|
/* Put the arguments in a vector. */
|
2003-12-01 15:55:05 +00:00
|
|
|
Strings args, remaining;
|
2003-07-04 15:42:03 +00:00
|
|
|
while (argc--) args.push_back(*argv++);
|
|
|
|
args.erase(args.begin());
|
|
|
|
|
2003-11-03 18:21:53 +00:00
|
|
|
/* Expand compound dash options (i.e., `-qlf' -> `-q -l -f'), and
|
|
|
|
ignore options for the ATerm library. */
|
2003-12-01 15:55:05 +00:00
|
|
|
for (Strings::iterator i = args.begin(); i != args.end(); ++i) {
|
|
|
|
string arg = *i;
|
|
|
|
if (string(arg, 0, 4) == "-at-") ;
|
2003-11-03 18:21:53 +00:00
|
|
|
else if (arg.length() > 2 && arg[0] == '-' && arg[1] != '-') {
|
2003-12-01 15:55:05 +00:00
|
|
|
for (unsigned int j = 1; j < arg.length(); j++)
|
|
|
|
if (isalpha(arg[j]))
|
|
|
|
remaining.push_back((string) "-" + arg[j]);
|
2003-07-24 08:53:43 +00:00
|
|
|
else {
|
2003-12-01 15:55:05 +00:00
|
|
|
remaining.push_back(string(arg, j));
|
2003-07-24 08:53:43 +00:00
|
|
|
break;
|
|
|
|
}
|
2003-12-01 15:55:05 +00:00
|
|
|
} else remaining.push_back(arg);
|
2003-07-04 15:42:03 +00:00
|
|
|
}
|
2003-12-01 15:55:05 +00:00
|
|
|
args = remaining;
|
|
|
|
remaining.clear();
|
2003-07-04 15:42:03 +00:00
|
|
|
|
2003-12-01 15:55:05 +00:00
|
|
|
/* Process default options. */
|
|
|
|
for (Strings::iterator i = args.begin(); i != args.end(); ++i) {
|
|
|
|
string arg = *i;
|
|
|
|
if (arg == "--verbose" || arg == "-v")
|
|
|
|
verbosity = (Verbosity) ((int) verbosity + 1);
|
2004-03-22 20:53:49 +00:00
|
|
|
else if (arg == "--log-type") {
|
|
|
|
++i;
|
|
|
|
if (i == args.end()) throw UsageError("`--log-type' requires an argument");
|
|
|
|
setLogType(*i);
|
2004-05-12 14:20:32 +00:00
|
|
|
}
|
|
|
|
else if (arg == "--build-output" || arg == "-B")
|
2004-08-18 12:19:06 +00:00
|
|
|
; /* !!! obsolete - remove eventually */
|
|
|
|
else if (arg == "--no-build-output" || arg == "-Q")
|
|
|
|
buildVerbosity = lvlVomit;
|
2003-12-01 15:55:05 +00:00
|
|
|
else if (arg == "--help") {
|
|
|
|
printHelp();
|
|
|
|
return;
|
2004-05-12 14:20:32 +00:00
|
|
|
}
|
|
|
|
else if (arg == "--version") {
|
2004-02-02 10:51:54 +00:00
|
|
|
cout << format("%1% (Nix) %2%") % programId % NIX_VERSION << endl;
|
|
|
|
return;
|
2004-05-12 14:20:32 +00:00
|
|
|
}
|
|
|
|
else if (arg == "--keep-failed" || arg == "-K")
|
2003-12-01 15:55:05 +00:00
|
|
|
keepFailed = true;
|
2004-06-25 15:36:09 +00:00
|
|
|
else if (arg == "--keep-going" || arg == "-k")
|
|
|
|
keepGoing = true;
|
2004-06-28 10:42:57 +00:00
|
|
|
else if (arg == "--fallback")
|
|
|
|
tryFallback = true;
|
2004-05-12 14:20:32 +00:00
|
|
|
else if (arg == "--max-jobs" || arg == "-j") {
|
|
|
|
++i;
|
|
|
|
if (i == args.end()) throw UsageError("`--max-jobs' requires an argument");
|
|
|
|
int n;
|
2004-09-10 13:32:08 +00:00
|
|
|
if (!string2Int(*i, n) || n < 0)
|
2004-05-12 14:20:32 +00:00
|
|
|
throw UsageError(format("`--max-jobs' requires a non-negative integer"));
|
|
|
|
maxBuildJobs = n;
|
|
|
|
}
|
2004-10-25 14:38:23 +00:00
|
|
|
else if (arg == "--readonly-mode")
|
|
|
|
readOnlyMode = true;
|
2003-12-01 15:55:05 +00:00
|
|
|
else remaining.push_back(arg);
|
|
|
|
}
|
|
|
|
|
2005-01-31 21:20:59 +00:00
|
|
|
/* Automatically clean up the temporary roots file when we
|
|
|
|
exit. */
|
2005-02-01 12:36:25 +00:00
|
|
|
RemoveTempRoots removeTempRoots; /* unused variable - don't remove */
|
2005-01-31 21:20:59 +00:00
|
|
|
|
2003-12-01 15:55:05 +00:00
|
|
|
run(remaining);
|
2006-03-01 16:36:35 +00:00
|
|
|
|
|
|
|
closeDB(); /* it's fine if the DB isn't actually open */
|
2003-07-04 15:42:03 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2004-09-09 21:12:53 +00:00
|
|
|
static bool haveSwitched;
|
|
|
|
static uid_t savedUid, nixUid;
|
|
|
|
static gid_t savedGid, nixGid;
|
|
|
|
|
|
|
|
|
|
|
|
#if HAVE_SETRESUID
|
|
|
|
#define _setuid(uid) setresuid(uid, uid, savedUid)
|
|
|
|
#define _setgid(gid) setresgid(gid, gid, savedGid)
|
2004-08-20 15:22:33 +00:00
|
|
|
#else
|
|
|
|
/* Only works properly when run by root. */
|
|
|
|
#define _setuid(uid) setuid(uid)
|
|
|
|
#define _setgid(gid) setgid(gid)
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
2004-09-09 21:12:53 +00:00
|
|
|
SwitchToOriginalUser::SwitchToOriginalUser()
|
|
|
|
{
|
|
|
|
#if SETUID_HACK && HAVE_SETRESUID
|
|
|
|
/* Temporarily switch the effective uid/gid back to the saved
|
|
|
|
uid/gid (which is the uid/gid of the user that executed the Nix
|
|
|
|
program; it's *not* the real uid/gid, since we changed that to
|
|
|
|
the Nix user in switchToNixUser()). */
|
|
|
|
if (haveSwitched) {
|
|
|
|
if (setuid(savedUid) == -1)
|
|
|
|
throw SysError(format("temporarily restoring uid to `%1%'") % savedUid);
|
|
|
|
if (setgid(savedGid) == -1)
|
|
|
|
throw SysError(format("temporarily restoring gid to `%1%'") % savedGid);
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
SwitchToOriginalUser::~SwitchToOriginalUser()
|
|
|
|
{
|
|
|
|
#if SETUID_HACK && HAVE_SETRESUID
|
|
|
|
/* Switch the effective uid/gid back to the Nix user. */
|
|
|
|
if (haveSwitched) {
|
|
|
|
if (setuid(nixUid) == -1)
|
|
|
|
throw SysError(format("restoring uid to `%1%'") % nixUid);
|
|
|
|
if (setgid(nixGid) == -1)
|
|
|
|
throw SysError(format("restoring gid to `%1%'") % nixGid);
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
}
|
|
|
|
|
|
|
|
|
* Setuid support for sharing a Nix installation between multiple
users.
If the configure flag `--enable-setuid' is used, the Nix programs
nix-env, nix-store, etc. are installed with the setuid bit turned on
so that they are executed as the user and group specified by
`--with-nix-user=USER' and `--with-nix-group=GROUP', respectively
(with defaults `nix' and `nix').
The setuid programs drop all special privileges if they are executed
by a user who is not a member of the Nix group.
The setuid feature is a quick hack to enable sharing of a Nix
installation between users who trust each other. It is not
generally secure, since any user in the Nix group can modify (by
building an appropriate derivation) any object in the store, and for
instance inject trojans into binaries used by other users.
The setuid programs are owned by root, not the Nix user. This is
because on Unix normal users cannot change the real uid, only the
effective uid. Many programs don't work properly when the real uid
differs from the effective uid. For instance, Perl will turn on
taint mode. However, the setuid programs drop all root privileges
immediately, changing all uids and gids to the Nix user and group.
2004-08-20 14:49:05 +00:00
|
|
|
void switchToNixUser()
|
|
|
|
{
|
|
|
|
#if SETUID_HACK
|
|
|
|
|
2004-08-20 15:31:46 +00:00
|
|
|
/* Don't do anything if this is not a setuid binary. */
|
2004-08-20 15:47:58 +00:00
|
|
|
if (getuid() == geteuid() && getgid() == getegid()) return;
|
2004-08-20 15:31:46 +00:00
|
|
|
|
* Setuid support for sharing a Nix installation between multiple
users.
If the configure flag `--enable-setuid' is used, the Nix programs
nix-env, nix-store, etc. are installed with the setuid bit turned on
so that they are executed as the user and group specified by
`--with-nix-user=USER' and `--with-nix-group=GROUP', respectively
(with defaults `nix' and `nix').
The setuid programs drop all special privileges if they are executed
by a user who is not a member of the Nix group.
The setuid feature is a quick hack to enable sharing of a Nix
installation between users who trust each other. It is not
generally secure, since any user in the Nix group can modify (by
building an appropriate derivation) any object in the store, and for
instance inject trojans into binaries used by other users.
The setuid programs are owned by root, not the Nix user. This is
because on Unix normal users cannot change the real uid, only the
effective uid. Many programs don't work properly when the real uid
differs from the effective uid. For instance, Perl will turn on
taint mode. However, the setuid programs drop all root privileges
immediately, changing all uids and gids to the Nix user and group.
2004-08-20 14:49:05 +00:00
|
|
|
/* Here we set the uid and gid to the Nix user and group,
|
|
|
|
respectively, IF the current (real) user is a member of the Nix
|
|
|
|
group. Otherwise we just drop all privileges. */
|
|
|
|
|
|
|
|
/* Lookup the Nix gid. */
|
|
|
|
struct group * gr = getgrnam(NIX_GROUP);
|
|
|
|
if (!gr) {
|
|
|
|
cerr << format("missing group `%1%'\n") % NIX_GROUP;
|
|
|
|
exit(1);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Get the supplementary group IDs for the current user. */
|
|
|
|
int maxGids = 512, nrGids;
|
|
|
|
gid_t gids[maxGids];
|
|
|
|
if ((nrGids = getgroups(maxGids, gids)) == -1) {
|
|
|
|
cerr << format("unable to query gids\n");
|
|
|
|
exit(1);
|
|
|
|
}
|
|
|
|
|
2004-08-20 15:22:33 +00:00
|
|
|
/* !!! Apparently it is unspecified whether getgroups() includes
|
|
|
|
the effective gid. In that case the following test is always
|
|
|
|
true *if* the program is installed setgid (which we do when we
|
2004-09-09 21:12:53 +00:00
|
|
|
have setresuid()). On Linux this doesn't appear to be the
|
2004-08-20 15:22:33 +00:00
|
|
|
case, but we should switch to the real gid before doing this
|
|
|
|
test, and then switch back to the saved gid. */
|
|
|
|
|
* Setuid support for sharing a Nix installation between multiple
users.
If the configure flag `--enable-setuid' is used, the Nix programs
nix-env, nix-store, etc. are installed with the setuid bit turned on
so that they are executed as the user and group specified by
`--with-nix-user=USER' and `--with-nix-group=GROUP', respectively
(with defaults `nix' and `nix').
The setuid programs drop all special privileges if they are executed
by a user who is not a member of the Nix group.
The setuid feature is a quick hack to enable sharing of a Nix
installation between users who trust each other. It is not
generally secure, since any user in the Nix group can modify (by
building an appropriate derivation) any object in the store, and for
instance inject trojans into binaries used by other users.
The setuid programs are owned by root, not the Nix user. This is
because on Unix normal users cannot change the real uid, only the
effective uid. Many programs don't work properly when the real uid
differs from the effective uid. For instance, Perl will turn on
taint mode. However, the setuid programs drop all root privileges
immediately, changing all uids and gids to the Nix user and group.
2004-08-20 14:49:05 +00:00
|
|
|
/* Check that the current user is a member of the Nix group. */
|
|
|
|
bool found = false;
|
|
|
|
for (int i = 0; i < nrGids; ++i)
|
|
|
|
if (gids[i] == gr->gr_gid) {
|
|
|
|
found = true;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!found) {
|
|
|
|
/* Not in the Nix group - drop all root/Nix privileges. */
|
2004-08-20 15:22:33 +00:00
|
|
|
_setgid(getgid());
|
|
|
|
_setuid(getuid());
|
* Setuid support for sharing a Nix installation between multiple
users.
If the configure flag `--enable-setuid' is used, the Nix programs
nix-env, nix-store, etc. are installed with the setuid bit turned on
so that they are executed as the user and group specified by
`--with-nix-user=USER' and `--with-nix-group=GROUP', respectively
(with defaults `nix' and `nix').
The setuid programs drop all special privileges if they are executed
by a user who is not a member of the Nix group.
The setuid feature is a quick hack to enable sharing of a Nix
installation between users who trust each other. It is not
generally secure, since any user in the Nix group can modify (by
building an appropriate derivation) any object in the store, and for
instance inject trojans into binaries used by other users.
The setuid programs are owned by root, not the Nix user. This is
because on Unix normal users cannot change the real uid, only the
effective uid. Many programs don't work properly when the real uid
differs from the effective uid. For instance, Perl will turn on
taint mode. However, the setuid programs drop all root privileges
immediately, changing all uids and gids to the Nix user and group.
2004-08-20 14:49:05 +00:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2004-09-09 21:12:53 +00:00
|
|
|
savedUid = getuid();
|
|
|
|
savedGid = getgid();
|
|
|
|
|
* Setuid support for sharing a Nix installation between multiple
users.
If the configure flag `--enable-setuid' is used, the Nix programs
nix-env, nix-store, etc. are installed with the setuid bit turned on
so that they are executed as the user and group specified by
`--with-nix-user=USER' and `--with-nix-group=GROUP', respectively
(with defaults `nix' and `nix').
The setuid programs drop all special privileges if they are executed
by a user who is not a member of the Nix group.
The setuid feature is a quick hack to enable sharing of a Nix
installation between users who trust each other. It is not
generally secure, since any user in the Nix group can modify (by
building an appropriate derivation) any object in the store, and for
instance inject trojans into binaries used by other users.
The setuid programs are owned by root, not the Nix user. This is
because on Unix normal users cannot change the real uid, only the
effective uid. Many programs don't work properly when the real uid
differs from the effective uid. For instance, Perl will turn on
taint mode. However, the setuid programs drop all root privileges
immediately, changing all uids and gids to the Nix user and group.
2004-08-20 14:49:05 +00:00
|
|
|
/* Set the real, effective and saved gids to gr->gr_gid. Also
|
|
|
|
make very sure that this succeeded. We switch the gid first
|
|
|
|
because we cannot do it after we have dropped root uid. */
|
2004-09-09 21:12:53 +00:00
|
|
|
nixGid = gr->gr_gid;
|
|
|
|
if (_setgid(nixGid) != 0 || getgid() != nixGid || getegid() != nixGid) {
|
* Setuid support for sharing a Nix installation between multiple
users.
If the configure flag `--enable-setuid' is used, the Nix programs
nix-env, nix-store, etc. are installed with the setuid bit turned on
so that they are executed as the user and group specified by
`--with-nix-user=USER' and `--with-nix-group=GROUP', respectively
(with defaults `nix' and `nix').
The setuid programs drop all special privileges if they are executed
by a user who is not a member of the Nix group.
The setuid feature is a quick hack to enable sharing of a Nix
installation between users who trust each other. It is not
generally secure, since any user in the Nix group can modify (by
building an appropriate derivation) any object in the store, and for
instance inject trojans into binaries used by other users.
The setuid programs are owned by root, not the Nix user. This is
because on Unix normal users cannot change the real uid, only the
effective uid. Many programs don't work properly when the real uid
differs from the effective uid. For instance, Perl will turn on
taint mode. However, the setuid programs drop all root privileges
immediately, changing all uids and gids to the Nix user and group.
2004-08-20 14:49:05 +00:00
|
|
|
cerr << format("unable to set gid to `%1%'\n") % NIX_GROUP;
|
|
|
|
exit(1);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Lookup the Nix uid. */
|
|
|
|
struct passwd * pw = getpwnam(NIX_USER);
|
|
|
|
if (!pw) {
|
|
|
|
cerr << format("missing user `%1%'\n") % NIX_USER;
|
|
|
|
exit(1);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* This will drop all root privileges, setting the real, effective
|
|
|
|
and saved uids to pw->pw_uid. Also make very sure that this
|
|
|
|
succeeded.*/
|
2004-09-09 21:12:53 +00:00
|
|
|
nixUid = pw->pw_uid;
|
|
|
|
if (_setuid(nixUid) != 0 || getuid() != nixUid || geteuid() != nixUid) {
|
* Setuid support for sharing a Nix installation between multiple
users.
If the configure flag `--enable-setuid' is used, the Nix programs
nix-env, nix-store, etc. are installed with the setuid bit turned on
so that they are executed as the user and group specified by
`--with-nix-user=USER' and `--with-nix-group=GROUP', respectively
(with defaults `nix' and `nix').
The setuid programs drop all special privileges if they are executed
by a user who is not a member of the Nix group.
The setuid feature is a quick hack to enable sharing of a Nix
installation between users who trust each other. It is not
generally secure, since any user in the Nix group can modify (by
building an appropriate derivation) any object in the store, and for
instance inject trojans into binaries used by other users.
The setuid programs are owned by root, not the Nix user. This is
because on Unix normal users cannot change the real uid, only the
effective uid. Many programs don't work properly when the real uid
differs from the effective uid. For instance, Perl will turn on
taint mode. However, the setuid programs drop all root privileges
immediately, changing all uids and gids to the Nix user and group.
2004-08-20 14:49:05 +00:00
|
|
|
cerr << format("unable to set uid to `%1%'\n") % NIX_USER;
|
|
|
|
exit(1);
|
|
|
|
}
|
|
|
|
|
2005-10-17 15:33:24 +00:00
|
|
|
/* !!! for setuid operation, we should: 1) wipe the environment;
|
|
|
|
2) verify file descriptors 0, 1, 2; 3) etc.
|
|
|
|
See: http://www.daemon-systems.org/man/setuid.7.html
|
|
|
|
*/
|
|
|
|
|
2004-09-09 21:12:53 +00:00
|
|
|
haveSwitched = true;
|
|
|
|
|
* Setuid support for sharing a Nix installation between multiple
users.
If the configure flag `--enable-setuid' is used, the Nix programs
nix-env, nix-store, etc. are installed with the setuid bit turned on
so that they are executed as the user and group specified by
`--with-nix-user=USER' and `--with-nix-group=GROUP', respectively
(with defaults `nix' and `nix').
The setuid programs drop all special privileges if they are executed
by a user who is not a member of the Nix group.
The setuid feature is a quick hack to enable sharing of a Nix
installation between users who trust each other. It is not
generally secure, since any user in the Nix group can modify (by
building an appropriate derivation) any object in the store, and for
instance inject trojans into binaries used by other users.
The setuid programs are owned by root, not the Nix user. This is
because on Unix normal users cannot change the real uid, only the
effective uid. Many programs don't work properly when the real uid
differs from the effective uid. For instance, Perl will turn on
taint mode. However, the setuid programs drop all root privileges
immediately, changing all uids and gids to the Nix user and group.
2004-08-20 14:49:05 +00:00
|
|
|
#endif
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2003-10-16 16:29:57 +00:00
|
|
|
static char buf[1024];
|
|
|
|
|
2003-07-04 15:42:03 +00:00
|
|
|
int main(int argc, char * * argv)
|
|
|
|
{
|
* Setuid support for sharing a Nix installation between multiple
users.
If the configure flag `--enable-setuid' is used, the Nix programs
nix-env, nix-store, etc. are installed with the setuid bit turned on
so that they are executed as the user and group specified by
`--with-nix-user=USER' and `--with-nix-group=GROUP', respectively
(with defaults `nix' and `nix').
The setuid programs drop all special privileges if they are executed
by a user who is not a member of the Nix group.
The setuid feature is a quick hack to enable sharing of a Nix
installation between users who trust each other. It is not
generally secure, since any user in the Nix group can modify (by
building an appropriate derivation) any object in the store, and for
instance inject trojans into binaries used by other users.
The setuid programs are owned by root, not the Nix user. This is
because on Unix normal users cannot change the real uid, only the
effective uid. Many programs don't work properly when the real uid
differs from the effective uid. For instance, Perl will turn on
taint mode. However, the setuid programs drop all root privileges
immediately, changing all uids and gids to the Nix user and group.
2004-08-20 14:49:05 +00:00
|
|
|
/* If we are setuid root, we have to get rid of the excess
|
|
|
|
privileges ASAP. */
|
|
|
|
switchToNixUser();
|
|
|
|
|
2003-07-04 15:42:03 +00:00
|
|
|
/* ATerm setup. */
|
|
|
|
ATerm bottomOfStack;
|
|
|
|
ATinit(argc, argv, &bottomOfStack);
|
|
|
|
|
2003-10-16 11:55:37 +00:00
|
|
|
/* Turn on buffering for cerr. */
|
2003-12-22 16:40:46 +00:00
|
|
|
#if HAVE_PUBSETBUF
|
2003-10-16 11:55:37 +00:00
|
|
|
cerr.rdbuf()->pubsetbuf(buf, sizeof(buf));
|
2003-12-22 16:40:46 +00:00
|
|
|
#endif
|
2003-10-16 11:55:37 +00:00
|
|
|
|
2003-07-04 15:42:03 +00:00
|
|
|
try {
|
2004-05-11 18:05:44 +00:00
|
|
|
try {
|
|
|
|
initAndRun(argc, argv);
|
|
|
|
} catch (...) {
|
|
|
|
/* Subtle: we have to make sure that any `interrupted'
|
|
|
|
condition is discharged before we reach printMsg()
|
|
|
|
below, since otherwise it will throw an (uncaught)
|
|
|
|
exception. */
|
|
|
|
blockInt = 1; /* ignore further SIGINTs */
|
|
|
|
_isInterrupted = 0;
|
|
|
|
throw;
|
|
|
|
}
|
2003-07-04 15:42:03 +00:00
|
|
|
} catch (UsageError & e) {
|
2003-11-09 10:35:45 +00:00
|
|
|
printMsg(lvlError,
|
2003-07-24 08:53:43 +00:00
|
|
|
format(
|
|
|
|
"error: %1%\n"
|
|
|
|
"Try `%2% --help' for more information.")
|
|
|
|
% e.what() % programId);
|
2003-07-04 15:42:03 +00:00
|
|
|
return 1;
|
2003-07-07 09:25:26 +00:00
|
|
|
} catch (Error & e) {
|
2003-11-09 10:35:45 +00:00
|
|
|
printMsg(lvlError, format("error: %1%") % e.msg());
|
2003-07-07 09:25:26 +00:00
|
|
|
return 1;
|
2003-07-04 15:42:03 +00:00
|
|
|
} catch (exception & e) {
|
2003-11-09 10:35:45 +00:00
|
|
|
printMsg(lvlError, format("error: %1%") % e.what());
|
2003-07-04 15:42:03 +00:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|