From 28692982f53025bc6e179dbdc04140db7fe67c1b Mon Sep 17 00:00:00 2001 From: Fred Sundvik Date: Tue, 15 Mar 2022 12:05:18 +0200 Subject: [PATCH] Allow failing when dropping privileges inside container Some programs like GDB launces a shell without additional privileges, so dropping the privileges can fail. In order to fix that allow failures when already running inside a container. --- distrod/distrod-exec/src/main.rs | 2 +- distrod/libs/src/passwd.rs | 17 ++++++++--------- 2 files changed, 9 insertions(+), 10 deletions(-) diff --git a/distrod/distrod-exec/src/main.rs b/distrod/distrod-exec/src/main.rs index 3a5b491..9f9b29b 100644 --- a/distrod/distrod-exec/src/main.rs +++ b/distrod/distrod-exec/src/main.rs @@ -78,7 +78,7 @@ where { log::debug!("distrod-exec: exec_command"); let cred = get_real_credential().with_context(|| "Failed to get the real credential.")?; - cred.drop_privilege(); + let _ = cred.try_drop_privilege(); let path = CString::new(command.as_ref().as_os_str().as_bytes()).with_context(|| { format!( diff --git a/distrod/libs/src/passwd.rs b/distrod/libs/src/passwd.rs index 34d2d5e..cbb38fd 100644 --- a/distrod/libs/src/passwd.rs +++ b/distrod/libs/src/passwd.rs @@ -68,18 +68,17 @@ impl Credential { }) } - pub fn drop_privilege(&self) { - let inner = || -> Result<()> { - nix::unistd::setgroups(&self.groups)?; - nix::unistd::setresgid(self.gid, self.gid, self.gid)?; - nix::unistd::setresuid(self.uid, self.uid, self.uid)?; + pub fn try_drop_privilege(&self) -> Result<(), nix::Error> { + nix::unistd::setgroups(&self.groups) + .and(nix::unistd::setresgid(self.gid, self.gid, self.gid)) + .and(nix::unistd::setresuid(self.uid, self.uid, self.uid)) + } - Ok(()) - }; - if inner().is_err() { + pub fn drop_privilege(&self) { + if self.try_drop_privilege().is_err() { log::error!("Failed to drop_privilege. Aborting."); std::process::exit(1); - } + }; } }