Golang syscall.Setuid函数代码示例

// launch a process and wait for it to exit, replying to the connection
// with its status
func launchProcess(conn *connection, id int, file string, argv []string, asroot bool) {
	var err error

	// run the command
	cmd := exec.Command(file)
	cmd.Args = argv
	if asroot == false {
		syscall.Setuid(1000)
	}
	err = cmd.Start()
	if asroot == false {
		syscall.Setuid(0)
	}

	// immediate error
	if err != nil {
		conn.send("processEnded", map[string]interface{}{
			"id":    id,
			"pid":   cmd.Process.Pid,
			"error": true,
		})
		return
	}

	// wait for the process to exit
	cmd.Wait()

	// send a successful "process ran" response
	conn.send("processEnded", map[string]interface{}{
		"id":    id,
		"pid":   cmd.Process.Pid,
		"error": false,
	})
}

// TestHostKeyFile tests that reading and writing the wrong host key file fails
func TestWrongHostKeyFile(t *testing.T) {
	// Non-existent host key file should fail
	f := NewHostKeyFile(wrongHostFile)
	_, err := f.GetHostKeys()
	if err == nil {
		t.Fatal("should fail to read wrong host file")
	}
	if _, ok := err.(*os.PathError); !ok {
		t.Fatalf("should fail to read wrong host file due to file miss, but got %v", err)
	}

	// Create a host key file we do not have permission to read
	os.OpenFile(wrongHostFile, os.O_CREATE, 0000)
	defer os.Remove(wrongHostFile)
	// If run as root, drop privileges temporarily
	if id := syscall.Geteuid(); id == 0 {
		if err := syscall.Setuid(12345); err != nil {
			t.Fatalf("error setting uid: %v", err)
		}
		defer syscall.Setuid(id)
	}
	err = f.PutHostKey("", nil)
	if err == nil {
		t.Fatal("should fail to write wrong host file")
	}
	if !os.IsPermission(err) {
		t.Fatalf("should fail to write wrong host file due to permission denied, but got %v", err)
	}
}

func chuser(username string) (uid, gid int) {
	usr, err := user.Lookup(username)

	if err != nil {
		fmt.Printf("failed to find user %q: %s", username, err)
	}

	uid, err = strconv.Atoi(usr.Uid)

	if err != nil {
		fmt.Printf("bad user ID %q: %s", usr.Uid, err)
	}

	gid, err = strconv.Atoi(usr.Gid)

	if err != nil {
		fmt.Printf("bad group ID %q: %s", usr.Gid, err)
	}

	if err := syscall.Setgid(gid); err != nil {
		fmt.Printf("setgid(%d): %s", gid, err)
	}

	if err := syscall.Setuid(uid); err != nil {
		fmt.Printf("setuid(%d): %s", uid, err)
	}

	return uid, gid
}

// Takes care of dropping privileges to the desired user
func changeUser(u string) {
	if u == "" {
		return
	}
	userent, err := utils.UserLookup(u)
	if err != nil {
		log.Fatalf("Unable to find user %v: %v", u, err)
	}

	uid, err := strconv.Atoi(userent.Uid)
	if err != nil {
		log.Fatalf("Invalid uid: %v", userent.Uid)
	}
	gid, err := strconv.Atoi(userent.Gid)
	if err != nil {
		log.Fatalf("Invalid gid: %v", userent.Gid)
	}

	if err := syscall.Setgid(gid); err != nil {
		log.Fatalf("setgid failed: %v", err)
	}
	if err := syscall.Setuid(uid); err != nil {
		log.Fatalf("setuid failed: %v", err)
	}
}

func runAsUserName(desiredUserName string) bool {
	// We do not have logging set up yet. We just panic() on error.

	if desiredUserName == "" {
		return false
	}

	currentUser, err := user.Current()
	if err != nil {
		panic(fmt.Sprintf("Can't find current user: %s", err.Error()))
	}

	desiredUser, err := user.Lookup(desiredUserName)
	if err != nil {
		// Not a fatal error, we'll just try the next
		return false
	}

	if currentUser.Uid != desiredUser.Uid {
		numericId, err := strconv.Atoi(desiredUser.Uid)
		if err != nil {
			panic(fmt.Sprintf("Can't interpret [%s] as a numeric user id [following lookup of usernmae %s]", desiredUser.Uid, desiredUserName))
		}
		err = syscall.Setuid(numericId)
		if err != nil {
			panic(fmt.Sprintf("Can't setuid to [%s]: %s", desiredUser.Uid, err.Error()))
		}
	}
	return true
}

func main() {
	if len(os.Args) < 2 {
		log.Fatalln("Usage: asbox <user> <shell command> [args...]")
	}

	user, args := os.Args[1], os.Args[2:]
	databox, err := isDataboxUser(user)
	if err != nil {
		log.Fatalln("Unable to determine if", user, "is a databox user:", err)
	}

	if !databox {
		log.Fatalln(user, "is not a databox user")
	}

	binary, err := exec.LookPath("su")
	if err != nil {
		log.Fatalln("Unable to find 'su':", err)
	}

	runtime.LockOSThread()
	err = syscall.Setuid(0)
	if err != nil {
		log.Fatalln("Unable to setuid")
	}

	args = append([]string{"su", "-", user, "-c", args[0], "--"}, args[1:]...)
	err = syscall.Exec(binary, args, os.Environ())
	log.Fatalln("Failed to exec:", err)
}

// SetupUser changes the groups, gid, and uid for the user inside the container
func SetupUser(u string) error {
	uid, gid, suppGids, home, err := user.GetUserGroupSupplementaryHome(u, syscall.Getuid(), syscall.Getgid(), "/")
	if err != nil {
		return fmt.Errorf("get supplementary groups %s", err)
	}

	if err := syscall.Setgroups(suppGids); err != nil {
		return fmt.Errorf("setgroups %s", err)
	}

	if err := syscall.Setgid(gid); err != nil {
		return fmt.Errorf("setgid %s", err)
	}

	if err := syscall.Setuid(uid); err != nil {
		return fmt.Errorf("setuid %s", err)
	}

	// if we didn't get HOME already, set it based on the user's HOME
	if envHome := os.Getenv("HOME"); envHome == "" {
		if err := os.Setenv("HOME", home); err != nil {
			return fmt.Errorf("set HOME %s", err)
		}
	}

	return nil
}

func DropPrivileges(username string) error {
	userInfo, err := user.Lookup(username)
	if err != nil {
		return err
	}

	uid, err := strconv.Atoi(userInfo.Uid)
	if err != nil {
		return err
	}

	gid, err := strconv.Atoi(userInfo.Gid)
	if err != nil {
		return err
	}

	// TODO: should set secondary groups too
	err = syscall.Setgroups([]int{gid})
	if err != nil {
		return err
	}

	err = syscall.Setgid(gid)
	if err != nil {
		return err
	}

	err = syscall.Setuid(uid)
	if err != nil {
		return err
	}

	return nil
}

// Takes care of dropping privileges to the desired user
func changeUser(args *DockerInitArgs) error {
	if args.user == "" {
		return nil
	}
	userent, err := utils.UserLookup(args.user)
	if err != nil {
		return fmt.Errorf("Unable to find user %v: %v", args.user, err)
	}

	uid, err := strconv.Atoi(userent.Uid)
	if err != nil {
		return fmt.Errorf("Invalid uid: %v", userent.Uid)
	}
	gid, err := strconv.Atoi(userent.Gid)
	if err != nil {
		return fmt.Errorf("Invalid gid: %v", userent.Gid)
	}

	if err := syscall.Setgid(gid); err != nil {
		return fmt.Errorf("setgid failed: %v", err)
	}
	if err := syscall.Setuid(uid); err != nil {
		return fmt.Errorf("setuid failed: %v", err)
	}

	return nil
}

func main() {
	syscall.Setuid(0)
	usr, e := user.Current()
	if e != nil {
		log.Fatal(e)
	}

CHECK:
	if usr.Name != "System Administrator" {
		fmt.Println("Not running as root, relaunching")

		appdir, _ := osext.Executable()
		appdir_len := len(appdir)
		sudo_path := appdir[0:(appdir_len-7)] + "qtox_sudo" //qtox_sudo is a fork of cocoasudo with all of its flags and other features stripped out

		if _, err := os.Stat(sudo_path); os.IsNotExist(err) {
			fmt.Println("Error: No qtox_sudo binary installed, falling back")
			custom_user = usr.Name
			usr.Name = "System Administrator"
			goto CHECK
		}

		relaunch := exec.Command(sudo_path, appdir, usr.Name)
		relaunch.Stdout = os.Stdout
		relaunch.Stderr = os.Stderr
		relaunch.Run()
		return

	} else {

		if len(os.Args) > 1 || custom_user != "" {

			if custom_user == "" {
				custom_user = os.Args[1]
			}

			update_dir := "/Users/" + custom_user + "/Library/Preferences/tox/update/"
			if _, err := os.Stat(update_dir); os.IsNotExist(err) {
				fmt.Println("Error: No update folder, is check for updates enabled?")
				return
			}
			fmt.Println("qTox Updater")

			killqtox := exec.Command("/usr/bin/killall", "qtox")
			_ = killqtox.Run()

			install(update_dir, len(update_dir))

			os.RemoveAll(update_dir)
			fmt.Println("Update metadata wiped, launching qTox")
			launchqtox := exec.Command("/usr/bin/open", "-b", "chat.tox.qtox")
			launchqtox.Run()

		} else {
			fmt.Println("Error: no user passed")
		}

	}
}

// SetupEnv will create pidfile and possibly change the workdir.
func SetupEnv(cfg *config.Config) error {

	if cfg.System.User != "" {
		// Get the current user
		currentUser, err := user.Current()
		if err != nil {
			return fmt.Errorf("Could not get the current user: %s", err)
		}

		// If the current user is different than the wanted user, try to change it
		if currentUser.Username != cfg.System.User {

			wantedUser, err := user.Lookup(cfg.System.User)
			if err != nil {
				return err
			}

			uid, err := strconv.Atoi(wantedUser.Uid)
			if err != nil {
				return fmt.Errorf("Error converting UID [%s] to int: %s", wantedUser.Uid, err)
			}

			gid, err := strconv.Atoi(wantedUser.Gid)
			if err != nil {
				return fmt.Errorf("Error converting GID [%s] to int: %s", wantedUser.Gid, err)
			}

			if err = syscall.Setgid(gid); err != nil {
				return fmt.Errorf("Setting group id: %s", err)
			}

			if err = syscall.Setuid(uid); err != nil {
				return fmt.Errorf("Setting user id: %s", err)
			}
		}
	}

	if cfg.System.Workdir != "" {
		if err := os.Chdir(cfg.System.Workdir); err != nil {
			return fmt.Errorf("Could not chdir to '%s': %s", cfg.System.Workdir, err)
		}
	}

	pFile, err := os.Create(cfg.System.Pidfile)

	if err != nil {
		return err
	}
	defer pFile.Close()

	_, err = pFile.WriteString(fmt.Sprintf("%d", os.Getpid()))

	if err != nil {
		return err
	}

	return nil
}

func DropPrivileges(uid int, gid int) (error, bool) {
	if err := syscall.Setuid(uid); err != nil {
		return err, false
	}
	if err := syscall.Setgid(gid); err != nil {
		return err, false
	}
	return nil, true
}

// SetRuntimeUser sets user on what to run as
func SetRuntimeUser(username string) (err error) {
	log.Printf("Setting uid %s", username)
	ustruct, err := user.LookupId(username)
	if err != nil {
		return
	}
	euid, _ := strconv.Atoi(ustruct.Uid)
	syscall.Setuid(euid)
	return
}

func main() {
	err := syscall.Setuid(0)
	if err != nil {
		log.Fatal(err)
	}
	cmd := exec.Command("/usr/local/sbin/restart_icinga")
	output, err := cmd.Output()
	if err != nil {
		log.Fatal(err)
	}
	log.Println(string(output))
}

// InitProcess create pid file, set working dir, setgid and setuid.
func InitProcess() error {
	// setuid and setgid
	ug := strings.SplitN(Conf.User, " ", 2)
	usr := defaultUser
	grp := defaultGroup
	if len(ug) == 0 {
		// default user and group (nobody)
	} else if len(ug) == 1 {
		usr = ug[0]
		grp = ""
	} else if len(ug) == 2 {
		usr = ug[0]
		grp = ug[1]
	}
	uid := 0
	gid := 0
	ui, err := user.Lookup(usr)
	if err != nil {
		Log.Error("user.Lookup(\"%s\") error(%v)", err)
		return err
	}
	uid, _ = strconv.Atoi(ui.Uid)
	// group no set
	if grp == "" {
		Log.Debug("no set group")
		gid, _ = strconv.Atoi(ui.Gid)
	} else {
		// use user's group instread
		// TODO LookupGroup
		gid, _ = strconv.Atoi(ui.Gid)
	}
	Log.Debug("set user: %v", ui)
	if err := syscall.Setuid(uid); err != nil {
		Log.Error("syscall.Setuid(%d) error(%v)", uid, err)
		return err
	}
	//if err := syscall.Setgid(gid); err != nil {
	//	Log.Error("syscall.Setgid(%d) failed (%s)", gid, err.Error())
	//	return err
	//}
	// change working dir
	Log.Debug("set gid: %d", gid)
	if err := os.Chdir(Conf.Dir); err != nil {
		Log.Error("os.Chdir(\"%s\") error(%v)", "", err)
		return err
	}
	// create pid file
	if err := ioutil.WriteFile(Conf.PidFile, []byte(fmt.Sprintf("%d\n", os.Getpid())), 0644); err != nil {
		Log.Error("ioutil.WriteFile(\"%s\") error(%v)", "", err)
		return err
	}
	return nil
}