Merge pull request #241 from cgwalters/require-privileges

cgwalters · web-flow · commit 95ccd5cd89f2 · 2023-12-20T10:27:33.000-05:00
cli: Explicitly require root privileges
diff --git a/lib/src/cli.rs b/lib/src/cli.rs
@@ -245,6 +245,7 @@ pub(crate) fn require_root() -> Result<()> {
 /// A few process changes that need to be made for writing.
 #[context("Preparing for write")]
 pub(crate) async fn prepare_for_write() -> Result<()> {
+    crate::cli::require_root()?;
     if ostree_ext::container_utils::is_ostree_container()? {
         anyhow::bail!(
             "Detected container (ostree base); this command requires a booted host system."
diff --git a/lib/src/privtests.rs b/lib/src/privtests.rs
@@ -104,13 +104,24 @@ pub(crate) fn impl_run_container() -> Result<()> {
     let sh = Shell::new()?;
     let host: Host = serde_yaml::from_str(&cmd!(sh, "bootc status").read()?)?;
     assert!(host.status.is_container);
+    println!("ok status");
+
     for c in ["upgrade", "update"] {
         let o = Command::new("bootc").arg(c).output()?;
         let st = o.status;
         assert!(!st.success());
         let stderr = String::from_utf8(o.stderr)?;
-        assert!(stderr.contains("this command requires a booted host system"));
+        assert!(stderr.contains("This command requires full root privileges"));
     }
+    println!("ok upgrade/update are errors in container");
+
+    let o = Command::new("runuser")
+        .args(["-u", "bin", "bootc", "upgrade"])
+        .output()?;
+    assert!(!o.status.success());
+    let stderr = String::from_utf8(o.stderr)?;
+    assert!(stderr.contains("requires root privileges"));
+
     println!("ok container integration testing");
     Ok(())
 }
diff --git a/lib/src/status.rs b/lib/src/status.rs
@@ -261,6 +261,7 @@ pub(crate) fn get_status(
 }
 
 /// Implementation of the `bootc status` CLI command.
+#[context("Status")]
 pub(crate) async fn status(opts: super::cli::StatusOpts) -> Result<()> {
     let host = if ostree_ext::container_utils::is_ostree_container()? {
         let status = HostStatus {
@@ -271,6 +272,7 @@ pub(crate) async fn status(opts: super::cli::StatusOpts) -> Result<()> {
         r.status = status;
         r
     } else {
+        crate::cli::require_root()?;
         let sysroot = super::cli::get_locked_sysroot().await?;
         let booted_deployment = sysroot.booted_deployment();
         let (_deployments, host) = get_status(&sysroot, booted_deployment.as_ref())?;

Original file line number	Diff line number	Diff line change
`@@ -261,6 +261,7 @@ pub(crate) fn get_status(`
`261`	`261`	`}`
`262`	`262`
`263`	`263`	/// Implementation of the `bootc status` CLI command.
	`264`	`+#[context("Status")]`
`264`	`265`	`pub(crate) async fn status(opts: super::cli::StatusOpts) -> Result<()> {`
`265`	`266`	`let host = if ostree_ext::container_utils::is_ostree_container()? {`
`266`	`267`	`let status = HostStatus {`
`@@ -271,6 +272,7 @@ pub(crate) async fn status(opts: super::cli::StatusOpts) -> Result<()> {`
`271`	`272`	`r.status = status;`
`272`	`273`	`r`
`273`	`274`	`} else {`
	`275`	`+ crate::cli::require_root()?;`
`274`	`276`	`let sysroot = super::cli::get_locked_sysroot().await?;`
`275`	`277`	`let booted_deployment = sysroot.booted_deployment();`
`276`	`278`	`let (_deployments, host) = get_status(&sysroot, booted_deployment.as_ref())?;`