如何解决posix setgid() 无法降低权限
我正在尝试创建一个函数来降低 sudo 权限。
我是 dcli 包的维护者,这是一个旨在替换 bash 的 dart 包。
我的目标之一是允许用户将 sudo 权限降级回原始用户对代码某些部分的权限:
如果我们有一个名为 touch_me.dart 的脚本
用户将运行:
sudo touch_me
touch_me.dart 脚本将是:
void main() {
test('isPriviliged',() {
try {
print('isPriviliged: ${Shell.current.isPrivilegedUser}');
print('uid: ${getuid()}');
print('gid: ${getgid()}');
print('euid: ${geteuid()}');
print('euid: ${geteuid()}');
print('user: ${getlogin()}');
print('SUDO_UID: ${env['SUDO_UID']}');
print('SUDO_USER: ${env['SUDO_USER']}');
print('SUDO_GUID: ${env['SUDO_GID']}');
print('de-escalating to: uid: $originalUID,gid: $originalGID');
print('pre-descalation euid: ${geteuid()}');
print('pre-descalation user egid: ${getegid()}');
releasePrivileges();
print('post-descalation euid: ${geteuid()}');
print('post-descalation user egid: ${getegid()}');
touch('test.txt',create: true);
'ls -la test.txt'.run;
withPrivileges(() {
print('with privileges euid: ${geteuid()}');
print('with privileges egid: ${getegid()}');
touch('test2.txt',create: true);
'ls -la test2.txt'.run;
});
} on PosixException catch (e,st) {
print(e);
print(st);
}
});
}
bool get isPrivilegedUser {
return _whoami() == 'root';
}
/// revert uid and gid to original user's id's
void releasePrivileges() {
if (Shell.current.isPrivilegedUser) {
var sUID = env['SUDO_UID'];
var gUID = env['SUDO_GID'];
// convert id's to integers.
var originalUID = sUID != null ? int.tryParse(sUID) ?? 0 : 0;
var originalGID = gUID != null ? int.tryParse(gUID) ?? 0 : 0;
setegid(originalGID);
seteuid(originalUID);
}
}
/// Run [privilegedCallback] with root UID and gid
void withPrivileges(RunPrivileged privilegedCallback) {
var privileged = Shell.current.isPrivilegedUser;
if (!privileged) {
setegid(0);
seteuid(0);
}
/// run the callback method with escalated privileges.
privilegedCallback();
/// If the code was originally running privileged then
/// we leave it as it was.
if (!privileged) {
releasePrivileges();
}
}
typedef RunPrivileged = void Function();
除了对 gid 的更改外,一切都按预期工作。即使 releasePrivileges 调用 setegid(SUDO_GID) 并且 SUDO_GID 为 1000,但创建的文件的 gid 为 0。
isPriviliged: true
uid: 0
gid: 0
euid: 0
euid: 0
user: bsutton
SUDO_UID: 1000
SUDO_USER: bsutton
SUDO_GUID: 1000
de-escalating to: uid: 1000,gid: 1000
pre-descalation euid: 0
pre-descalation user egid: 0
post-descalation euid: 1000
post-descalation user egid: 1000
-rw-r--r-- 1 bsutton root 0 Jan 18 10:23 test.txt
with privileges euid: 0
with privileges egid: 0
-rw-r--r-- 1 root root 0 Jan 18 10:23 test2.txt
编辑:
以下是演示问题的最简单示例:
void main() {
var sUID = env['SUDO_UID'];
var gUID = env['SUDO_GID'];
// convert id's to integers.
var originalUID = sUID != null ? int.tryParse(sUID) ?? 0 : 0;
var originalGID = gUID != null ? int.tryParse(gUID) ?? 0 : 0;
setegid(originalGID);
seteuid(originalUID);
touch('test.txt',create: true);
'ls -la test.txt'.run;
}
解决方法
问题是我的测试环境:
在早期的测试中,我不小心创建了 gid = 0 的 test.txt。
如果我重新运行测试,在开始之前删除 test.txt,代码会按预期工作:
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。