Skip to content

Commit f5d2db7

Browse files
cgwalterscgwalters
committed
install: Verify we're root
This came up in chat. The error message right now is pretty obscure, we fail in `chcon` which might make you think something is wrong with SELinux. Signed-off-by: Colin Walters <[email protected]>
1 parent c194a40 commit f5d2db7

File tree

3 files changed

+17
-1
lines changed

3 files changed

+17
-1
lines changed

lib/Cargo.toml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,7 @@ once_cell = "1.9"
2424
openssl = "^0.10"
2525
nix = ">= 0.24, < 0.26"
2626
regex = "1.7.1"
27+
rustix = { "version" = "0.36", features = ["thread"] }
2728
serde = { features = ["derive"], version = "1.0.125" }
2829
serde_json = "1.0.64"
2930
serde_with = ">= 1.9.4, < 2"

lib/src/cli.rs

Lines changed: 14 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@
44
55
use anyhow::{Context, Result};
66
use camino::Utf8PathBuf;
7+
use cap_std_ext::rustix;
78
use clap::Parser;
89
use fn_error_context::context;
910
use ostree::{gio, glib};
@@ -124,7 +125,7 @@ pub(crate) enum Opt {
124125
/// we can depend on a new enough ostree
125126
#[context("Ensuring mountns")]
126127
pub(crate) async fn ensure_self_unshared_mount_namespace() -> Result<()> {
127-
let uid = cap_std_ext::rustix::process::getuid();
128+
let uid = rustix::process::getuid();
128129
if !uid.is_root() {
129130
tracing::debug!("Not root, assuming no need to unshare");
130131
return Ok(());
@@ -224,6 +225,18 @@ async fn stage(
224225
Ok(())
225226
}
226227

228+
#[context("Querying root privilege")]
229+
pub(crate) fn require_root() -> Result<()> {
230+
let uid = rustix::process::getuid();
231+
if !uid.is_root() {
232+
anyhow::bail!("This command requires root privileges");
233+
}
234+
if !rustix::thread::is_in_capability_bounding_set(rustix::thread::Capability::SystemAdmin)? {
235+
anyhow::bail!("This command requires full root privileges (CAP_SYS_ADMIN)");
236+
}
237+
Ok(())
238+
}
239+
227240
/// A few process changes that need to be made for writing.
228241
#[context("Preparing for write")]
229242
async fn prepare_for_write() -> Result<()> {

lib/src/install.rs

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -580,6 +580,8 @@ async fn prepare_install(
580580
config_opts: InstallConfigOpts,
581581
target_opts: InstallTargetOpts,
582582
) -> Result<Arc<State>> {
583+
// We need full root privileges, i.e. --privileged in podman
584+
crate::cli::require_root()?;
583585
// We require --pid=host
584586
let pid = std::fs::read_link("/proc/1/exe").context("reading /proc/1/exe")?;
585587
let pid = pid

0 commit comments

Comments
 (0)