Provide function for switching user in child processes
Add alpm_sandbox_child() function that will be used for switching to a less priviledged user to run child processes. Signed-off-by: Allan McRae <allan@archlinux.org>
This commit is contained in:
Remi Gacogne
Allan McRae
parent
56eb87287e
commit
ce83cf6361
3 changed files with 49 additions and 0 deletions
|
|
@ -2953,6 +2953,12 @@ const char *alpm_version(void);
|
||||||
* */
|
* */
|
||||||
int alpm_capabilities(void);
|
int alpm_capabilities(void);
|
||||||
|
|
||||||
|
/** Drop privileges by switching to a different user.
|
||||||
|
* @param sandboxuser the user to switch to
|
||||||
|
* @return 0 on success, -1 on failure
|
||||||
|
*/
|
||||||
|
int alpm_sandbox_setup_child(const char *sandboxuser);
|
||||||
|
|
||||||
/* End of libalpm_misc */
|
/* End of libalpm_misc */
|
||||||
/** @} */
|
/** @} */
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -24,6 +24,7 @@ libalpm_sources = files('''
|
||||||
pkghash.h pkghash.c
|
pkghash.h pkghash.c
|
||||||
rawstr.c
|
rawstr.c
|
||||||
remove.h remove.c
|
remove.h remove.c
|
||||||
|
sandbox.c
|
||||||
signing.c signing.h
|
signing.c signing.h
|
||||||
sync.h sync.c
|
sync.h sync.c
|
||||||
trans.h trans.c
|
trans.h trans.c
|
||||||
|
|
|
||||||
42
lib/libalpm/sandbox.c
Normal file
42
lib/libalpm/sandbox.c
Normal file
|
|
@ -0,0 +1,42 @@
|
||||||
|
/*
|
||||||
|
* sandbox.c
|
||||||
|
*
|
||||||
|
* Copyright (c) 2021-2022 Pacman Development Team <pacman-dev@lists.archlinux.org>
|
||||||
|
*
|
||||||
|
* This program is free software; you can redistribute it and/or modify
|
||||||
|
* it under the terms of the GNU General Public License as published by
|
||||||
|
* the Free Software Foundation; either version 2 of the License, or
|
||||||
|
* (at your option) any later version.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope that it will be useful,
|
||||||
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
* GNU General Public License for more details.
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU General Public License
|
||||||
|
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include <errno.h>
|
||||||
|
#include <grp.h>
|
||||||
|
#include <pwd.h>
|
||||||
|
#include <sys/types.h>
|
||||||
|
#include <unistd.h>
|
||||||
|
|
||||||
|
#include "alpm.h"
|
||||||
|
#include "util.h"
|
||||||
|
|
||||||
|
int SYMEXPORT alpm_sandbox_setup_child(const char* sandboxuser)
|
||||||
|
{
|
||||||
|
struct passwd const *pw = NULL;
|
||||||
|
|
||||||
|
ASSERT(sandboxuser != NULL, return -1);
|
||||||
|
ASSERT(getuid() == 0, return -1);
|
||||||
|
ASSERT((pw = getpwnam(sandboxuser)), return -1);
|
||||||
|
ASSERT(setgid(pw->pw_gid) == 0, return -1);
|
||||||
|
ASSERT(setgroups(0, NULL) == 0, return -1);
|
||||||
|
ASSERT(setuid(pw->pw_uid) == 0, return -1);
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
Loading…
Add table
Reference in a new issue