Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

many: try to clear up the uid/gid thing when run as snap #26

Merged
merged 1 commit into from
Feb 14, 2025
Merged

many: try to clear up the uid/gid thing when run as snap #26

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion libs/containerv/linux/utils.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -214,7 +214,7 @@ int containerv_switch_user_with_capabilities(uid_t uid, gid_t gid)
return status;
}

if (getgid() == 0 || getegid() == 0) {
if (gid != 0 && (getgid() == 0 || getegid() == 0)) {
VLOG_ERROR("containerv[child]", "failed to drop the root capabilities, aborting\n");
return status;
}
Expand Down
19 changes: 18 additions & 1 deletion libs/platform/osutils/linux/getuserdir.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,11 +20,28 @@
#include <pwd.h>
#include <string.h>

#ifdef CHEF_AS_SNAP
#include <stdlib.h>
unsigned int __get_snap_uid(void)
{
char* uidstr = getenv("SNAP_UID");
if (uidstr == NULL) {
// fallback
return getuid();
}
return (unsigned int)atoi(uidstr);
}
#endif

int platform_getuserdir(char* buffer, size_t length)
{
struct passwd* pw;


#ifdef CHEF_AS_SNAP
pw = getpwuid(__get_snap_uid());
#else
pw = getpwuid(getuid());
#endif
if (pw == NULL) {
return -1;
}
Expand Down
1 change: 1 addition & 0 deletions snap/snapcraft.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ description: |
base: core22
grade: stable
confinement: strict
assumes: [snap-uid-envvars]

apps:
bake:
Expand Down
25 changes: 23 additions & 2 deletions tools/bake/main.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -189,6 +189,19 @@ static int __file_exists(const char* path)
return platform_stat(path, &stats) == 0 ? 1 : 0;
}

#ifdef CHEF_AS_SNAP
#include <stdlib.h>
unsigned int __get_snap_uid(void)
{
char* uidstr = getenv("SNAP_UID");
if (uidstr == NULL) {
// fallback
return getuid();
}
return (unsigned int)atoi(uidstr);
}
#endif

int main(int argc, char** argv, char** envp)
{
struct command_handler* command = &g_commands[2]; // build step is default
Expand All @@ -201,17 +214,25 @@ int main(int argc, char** argv, char** envp)
#if __linux__
// make sure we're running with root privileges
if (geteuid() != 0 || getegid() != 0) {
VLOG_ERROR("kitchen", "should be executed with root privileges, aborting.\n");
fprintf(stderr, "bake: should be executed with root privileges, aborting.\n");
errno = EPERM;
return -1;
}

// make sure we're not actually running as root
#ifdef CHEF_AS_SNAP
if (__get_snap_uid() == 0) {
fprintf(stderr, "bake: should not be run as root, aborting.\n");
errno = EPERM;
return -1;
}
#else
if (getuid() == 0 || getgid() == 0) {
VLOG_ERROR("kitchen", "should not be run as root, aborting.\n");
fprintf(stderr, "bake: should not be run as root, aborting.\n");
errno = EPERM;
return -1;
}
#endif
#endif

// first argument must be the command if not --help or --version
Expand Down
Loading