Skip to content

Commit 6d48efc

Browse files
f0sself0ssel
committed
better error handling
1 parent db3652e commit 6d48efc

File tree

2 files changed

+50
-46
lines changed

2 files changed

+50
-46
lines changed

network/linux.go

Lines changed: 25 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -100,8 +100,10 @@ func (l *LinuxJail) Execute(command []string, extraEnv map[string]string) error
100100
}
101101

102102
// When running under sudo, restore essential user environment variables
103-
if sudoUser := os.Getenv("SUDO_USER"); sudoUser != "" {
104-
if user, err := user.Lookup(sudoUser); err == nil {
103+
sudoUser := os.Getenv("SUDO_USER")
104+
if sudoUser != "" {
105+
user, err := user.Lookup(sudoUser)
106+
if err == nil {
105107
// Set HOME to original user's home directory
106108
env = append(env, fmt.Sprintf("HOME=%s", user.HomeDir))
107109
// Set USER to original username
@@ -118,31 +120,32 @@ func (l *LinuxJail) Execute(command []string, extraEnv map[string]string) error
118120
cmd.Stderr = os.Stderr
119121

120122
// Drop privileges to original user if running under sudo
121-
if sudoUID := os.Getenv("SUDO_UID"); sudoUID != "" {
122-
if sudoGID := os.Getenv("SUDO_GID"); sudoGID != "" {
123-
uid, err := strconv.Atoi(sudoUID)
124-
if err != nil {
125-
l.logger.Warn("Invalid SUDO_UID, subprocess will run as root", "sudo_uid", sudoUID, "error", err)
126-
} else {
127-
gid, err := strconv.Atoi(sudoGID)
128-
if err != nil {
129-
l.logger.Warn("Invalid SUDO_GID, subprocess will run as root", "sudo_gid", sudoGID, "error", err)
130-
} else {
131-
cmd.SysProcAttr = &syscall.SysProcAttr{
132-
Credential: &syscall.Credential{
133-
Uid: uint32(uid),
134-
Gid: uint32(gid),
135-
},
136-
}
137-
l.logger.Debug("Dropping privileges to original user", "uid", uid, "gid", gid)
138-
}
139-
}
123+
var gid, uid int
124+
var err error
125+
sudoUID := os.Getenv("SUDO_UID")
126+
if sudoUID != "" {
127+
uid, err = strconv.Atoi(sudoUID)
128+
if err != nil {
129+
l.logger.Warn("Invalid SUDO_UID, subprocess will run as root", "sudo_uid", sudoUID, "error", err)
130+
}
131+
}
132+
sudoGID := os.Getenv("SUDO_GID")
133+
if sudoGID != "" {
134+
gid, err = strconv.Atoi(sudoGID)
135+
if err != nil {
136+
l.logger.Warn("Invalid SUDO_GID, subprocess will run as root", "sudo_gid", sudoGID, "error", err)
140137
}
141138
}
139+
cmd.SysProcAttr = &syscall.SysProcAttr{
140+
Credential: &syscall.Credential{
141+
Uid: uint32(uid),
142+
Gid: uint32(gid),
143+
},
144+
}
142145

143146
// Start command
144147
l.logger.Debug("Starting command", "path", cmd.Path, "args", cmd.Args)
145-
err := cmd.Start()
148+
err = cmd.Start()
146149
if err != nil {
147150
return fmt.Errorf("failed to start command: %v", err)
148151
}

network/macos.go

Lines changed: 25 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -86,8 +86,10 @@ func (m *MacOSNetJail) Execute(command []string, extraEnv map[string]string) err
8686
}
8787

8888
// When running under sudo, restore essential user environment variables
89-
if sudoUser := os.Getenv("SUDO_USER"); sudoUser != "" {
90-
if user, err := user.Lookup(sudoUser); err == nil {
89+
sudoUser := os.Getenv("SUDO_USER")
90+
if sudoUser != "" {
91+
user, err := user.Lookup(sudoUser)
92+
if err == nil {
9193
// Set HOME to original user's home directory
9294
env = append(env, fmt.Sprintf("HOME=%s", user.HomeDir))
9395
// Set USER to original username
@@ -103,29 +105,28 @@ func (m *MacOSNetJail) Execute(command []string, extraEnv map[string]string) err
103105
cmd.Stderr = os.Stderr
104106
cmd.Stdin = os.Stdin
105107

108+
// Set group ID using syscall
109+
cmd.SysProcAttr = &syscall.SysProcAttr{
110+
Credential: &syscall.Credential{
111+
Gid: uint32(m.groupID),
112+
},
113+
}
114+
106115
// Drop privileges to original user if running under sudo
107-
if sudoUID := os.Getenv("SUDO_UID"); sudoUID != "" {
108-
if sudoGID := os.Getenv("SUDO_GID"); sudoGID != "" {
109-
uid, err := strconv.Atoi(sudoUID)
110-
if err != nil {
111-
m.logger.Warn("Invalid SUDO_UID, subprocess will run as root", "sudo_uid", sudoUID, "error", err)
112-
} else {
113-
// Use original user ID but KEEP the jail group for network isolation
114-
cmd.SysProcAttr = &syscall.SysProcAttr{
115-
Credential: &syscall.Credential{
116-
Uid: uint32(uid),
117-
Gid: uint32(m.groupID), // Keep jail group, not original user's group
118-
},
119-
}
120-
m.logger.Debug("Dropping privileges to original user with jail group", "uid", uid, "jail_gid", m.groupID)
116+
sudoUID := os.Getenv("SUDO_UID")
117+
if sudoUID != "" {
118+
uid, err := strconv.Atoi(sudoUID)
119+
if err != nil {
120+
m.logger.Warn("Invalid SUDO_UID, subprocess will run as root", "sudo_uid", sudoUID, "error", err)
121+
} else {
122+
// Use original user ID but KEEP the jail group for network isolation
123+
cmd.SysProcAttr = &syscall.SysProcAttr{
124+
Credential: &syscall.Credential{
125+
Uid: uint32(uid),
126+
Gid: uint32(m.groupID), // Keep jail group, not original user's group
127+
},
121128
}
122-
}
123-
} else {
124-
// Set group ID using syscall (original behavior for non-sudo)
125-
cmd.SysProcAttr = &syscall.SysProcAttr{
126-
Credential: &syscall.Credential{
127-
Gid: uint32(m.groupID),
128-
},
129+
m.logger.Debug("Dropping privileges to original user with jail group", "uid", uid, "jail_gid", m.groupID)
129130
}
130131
}
131132

@@ -367,4 +368,4 @@ func (m *MacOSNetJail) cleanupTempFiles() {
367368
if m.mainRulesPath != "" {
368369
os.Remove(m.mainRulesPath)
369370
}
370-
}
371+
}

0 commit comments

Comments
 (0)