Merge pull request #66 from cgwalters/require-root

install: Verify we're root

Author: jmarrero

lib/Cargo.toml

@@ -24,6 +24,7 @@ once_cell = "1.9"
 openssl = "^0.10"
 nix = ">= 0.24, < 0.26"
 regex = "1.7.1"
+rustix = { "version" = "0.36", features = ["thread"] }
 serde = { features = ["derive"], version = "1.0.125" }
 serde_json = "1.0.64"
 serde_with = ">= 1.9.4, < 2"

lib/src/cli.rs

@@ -4,6 +4,7 @@
 
 use anyhow::{Context, Result};
 use camino::Utf8PathBuf;
+use cap_std_ext::rustix;
 use clap::Parser;
 use fn_error_context::context;
 use ostree::{gio, glib};
@@ -124,7 +125,7 @@ pub(crate) enum Opt {
 /// we can depend on a new enough ostree
 #[context("Ensuring mountns")]
 pub(crate) async fn ensure_self_unshared_mount_namespace() -> Result<()> {
-    let uid = cap_std_ext::rustix::process::getuid();
+    let uid = rustix::process::getuid();
     if !uid.is_root() {
         tracing::debug!("Not root, assuming no need to unshare");
         return Ok(());
@@ -224,6 +225,18 @@ async fn stage(
     Ok(())
 }
 
+#[context("Querying root privilege")]
+pub(crate) fn require_root() -> Result<()> {
+    let uid = rustix::process::getuid();
+    if !uid.is_root() {
+        anyhow::bail!("This command requires root privileges");
+    }
+    if !rustix::thread::is_in_capability_bounding_set(rustix::thread::Capability::SystemAdmin)? {
+        anyhow::bail!("This command requires full root privileges (CAP_SYS_ADMIN)");
+    }
+    Ok(())
+}
+
 /// A few process changes that need to be made for writing.
 #[context("Preparing for write")]
 async fn prepare_for_write() -> Result<()> {

lib/src/install.rs

@@ -580,6 +580,8 @@ async fn prepare_install(
     config_opts: InstallConfigOpts,
     target_opts: InstallTargetOpts,
 ) -> Result<Arc<State>> {
+    // We need full root privileges, i.e. --privileged in podman
+    crate::cli::require_root()?;
     // We require --pid=host
     let pid = std::fs::read_link("/proc/1/exe").context("reading /proc/1/exe")?;
     let pid = pid