diff options
| author | Eelco Dolstra <e.dolstra@tudelft.nl> | 2006-12-07 16:33:31 +0000 |
|---|---|---|
| committer | Eelco Dolstra <e.dolstra@tudelft.nl> | 2006-12-07 16:33:31 +0000 |
| commit | f76fdb6d42a1b539fcf0b77d8efc5262283a19ea (patch) | |
| tree | 9cb5d0d95f998ab6db232df78413eb54f5551c7a /src/nix-setuid-helper | |
| parent | ec23ecc64d40b7f65585c23592db123127967221 (diff) | |
* If not running as root, let the setuid helper kill the build user's
processes before and after the build.
Diffstat (limited to 'src/nix-setuid-helper')
| -rw-r--r-- | src/nix-setuid-helper/main.cc | 37 |
1 files changed, 33 insertions, 4 deletions
diff --git a/src/nix-setuid-helper/main.cc b/src/nix-setuid-helper/main.cc index e9ffcfd02..dc0b2cd6c 100644 --- a/src/nix-setuid-helper/main.cc +++ b/src/nix-setuid-helper/main.cc @@ -66,6 +66,15 @@ static uid_t nameToUid(const string & userName) } +static void checkIfBuildUser(const StringSet & buildUsers, + const string & userName) +{ + if (buildUsers.find(userName) == buildUsers.end()) + throw Error(format("user `%1%' is not a member of the build users group") + % userName); +} + + /* Run `program' under user account `targetUser'. `targetUser' should be a member of `buildUsersGroup'. The ownership of the current directory is changed from the Nix user (uidNix) to the target @@ -80,10 +89,9 @@ static void runBuilder(uid_t uidNix, gid_t gidBuildUsers, if (uidTargetUser == 0) throw Error("won't setuid to root"); - /* Verify that the target user is a member of that group. */ - if (buildUsers.find(targetUser) == buildUsers.end()) - throw Error(format("user `%1%' is not a member of the build users group") - % targetUser); + /* Verify that the target user is a member of the build users + group. */ + checkIfBuildUser(buildUsers, targetUser); /* Chown the current directory, *if* it is owned by the Nix account. The idea is that the current directory is the @@ -118,6 +126,21 @@ static void runBuilder(uid_t uidNix, gid_t gidBuildUsers, } +void killBuildUser(gid_t gidBuildUsers, + const StringSet & buildUsers, const string & userName) +{ + uid_t uid = nameToUid(userName); + + /* Verify that the user whose processes we are to kill is a member + of the build users group. */ + checkIfBuildUser(buildUsers, userName); + + assert(uid != 0); + + killUser(uid); +} + + #ifndef NIX_SETUID_CONFIG_FILE #define NIX_SETUID_CONFIG_FILE "/etc/nix-setuid.conf" #endif @@ -204,6 +227,12 @@ static void run(int argc, char * * argv) secureChown(-1, gidBuildUsers, uidNix, gidBuildUsers, argv[2]); } + else if (command == "kill") { + /* Syntax: nix-setuid-helper kill <username> */ + if (argc != 3) throw Error("missing user name"); + killBuildUser(gidBuildUsers, buildUsers, argv[2]); + } + else throw Error ("invalid command"); } |