From 70ae8dd259528ed6324616cd4de869e1e3710ab4 Mon Sep 17 00:00:00 2001 From: Ezri Zhu Date: Fri, 16 Feb 2024 18:21:18 +0000 Subject: [PATCH 01/18] docker support --- try | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/try b/try index 979118d0..fe645efa 100755 --- a/try +++ b/try @@ -47,6 +47,13 @@ try() { ## Make any directories that don't already exist, this is OK to do here ## because we have already checked if it valid. export SANDBOX_DIR + + # If we're in a docker container, we want to mount tmpfs on sandbox_dir, #136 + if [ -f /.dockerenv ] && [ "$(id -u)" -eq "0" ] + then + mount -t tmpfs tmpfs "$SANDBOX_DIR" + fi + mkdir -p "$SANDBOX_DIR/upperdir" "$SANDBOX_DIR/workdir" "$SANDBOX_DIR/temproot" ## Find all the directories and mounts that need to be mounted From b58a42d1395ebbb47aeee92e16d46fac446f0b81 Mon Sep 17 00:00:00 2001 From: Ezri Zhu Date: Sat, 17 Feb 2024 01:53:42 +0000 Subject: [PATCH 02/18] add setup.sh from og future --- setup.sh | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 setup.sh diff --git a/setup.sh b/setup.sh new file mode 100644 index 00000000..3038a418 --- /dev/null +++ b/setup.sh @@ -0,0 +1,5 @@ +#!/bin/sh + +wget https://github.com/ezrizhu/gidmapper/releases/download/0.0.3/gidmapper -O /usr/local/bin/gidmapper +chmod +x /usr/local/bin/gidmapper +setcap 'CAP_SETGID=ep' /usr/local/bin/gidmapper From bb7be24fee9bafbfaea4a0b3ca6fff468c8bf511 Mon Sep 17 00:00:00 2001 From: Ezri Zhu Date: Sat, 17 Feb 2024 02:08:55 +0000 Subject: [PATCH 03/18] gidmapper support, ability to select executing user --- try | 65 +++++++++++++++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 59 insertions(+), 6 deletions(-) diff --git a/try b/try index 979118d0..66f07ff6 100755 --- a/try +++ b/try @@ -159,6 +159,12 @@ autodetect_union_helper() { fi } +# notify the mapper that we're up +echo "a" > "$SOCKET" + +# wait for mapper to finish +cat "$SOCKET" > /dev/null + # Detect if union_helper is set, if not, we try to autodetect them if [ -z "$UNION_HELPER" ] then @@ -237,12 +243,17 @@ EOF cat >"$chroot_executable" <"$script_to_execute" @@ -250,17 +261,28 @@ EOF # `$script_to_execute` need not be +x to be sourced chmod +x "$mount_and_execute" "$chroot_executable" + if [ "$EUSER" ] + then + chown "$EUSER" "$script_to_execute" + fi + # enable job control so interactive commands will play nicely with try asking for user input later(for committing). #5 [ -t 0 ] && set -m + SOCKET="$(mktemp -u)" + mkfifo "$SOCKET" + export SOCKET + + # Running mapper in a subshell to suppress job control [1] + Done message + (mapper&) + # --mount: mounting and unmounting filesystems will not affect the rest of the system outside the unshare - # --map-root-user: map to the superuser UID and GID in the newly created user namespace. # --user: the process will have a distinct set of UIDs, GIDs and capabilities. # --pid: create a new process namespace (needed fr procfs to work right) # --fork: necessary if we do --pid # "Creation of a persistent PID namespace will fail if the --fork option is not also specified." # shellcheck disable=SC2086 # we want field splitting! - unshare --mount --map-root-user --user --pid --fork $EXTRA_NS "$mount_and_execute" + unshare --mount --user --pid --fork $EXTRA_NS "$mount_and_execute" TRY_EXIT_STATUS=$? ################################################################################ @@ -497,6 +519,30 @@ error() { exit "$exit_status" } +################################################################################ +# Change uid/gid mapping +################################################################################ + +mapper() { + cat "$SOCKET" > /dev/null + # Get the pid of the unshare process with current pid as parent + pid=$(pgrep -P $$ -f unshare) + + # Map root user to current user, and all groups + # Usage: gidmapper targetpid outeruid inneruid uidcount outergid innergid uidcount + if [ "$(id -u)" = 0 ] + then + # If we're running as root, we can map all the users + gidmapper "$pid" 0 0 65535 0 0 65535 + else + # If not running as root, we can only mount the caller user + gidmapper "$pid" 0 "$(id -u)" 1 0 0 65535 + fi + + # Notify the unshare process that we have finished + echo "a" > "$SOCKET" +} + ################################################################################ # Argument parsing ################################################################################ @@ -508,6 +554,7 @@ Usage: $TRY_COMMAND [-nvhyx] [-i PATTERN] [-D DIR] [-U PATH] [-L dir1:dir2:...] -n don't commit or prompt for commit (overrides -y) -y assume yes to all prompts (overrides -n) -x prevent network access (by unsharing the network namespace) + -u username user to run the command with (requires root) -i PATTERN ignore paths that match PATTERN on summary and commit -D DIR work in DIR (implies -n) -U PATH path to unionfs helper (e.g., mergerfs, unionfs-fuse) @@ -535,13 +582,19 @@ NO_COMMIT="interactive" # Includes all patterns given using the `-i` flag; will be used with `grep -f` IGNORE_FILE="$(mktemp)" -while getopts ":yvnhxi:D:U:L:" opt +while getopts ":yvnhxu:i:D:U:L:" opt do case "$opt" in (y) NO_COMMIT="commit";; (n) NO_COMMIT="show";; (i) echo "$OPTARG" >>"$IGNORE_FILE";; + (u) if [ "$(id -u)" -ne "0" ] + then + error "need root for -u" 2 + fi + EUSER="$OPTARG" + export EUSER;; (D) if ! [ -d "$OPTARG" ] then error "could not find sandbox directory '$OPTARG'" 2 From 1a8787247c6526ccbd471cfb71eb56638711cc81 Mon Sep 17 00:00:00 2001 From: Ezri Zhu Date: Sat, 17 Feb 2024 02:18:26 +0000 Subject: [PATCH 04/18] set tests to use setup.sh --- .github/workflows/test.yaml | 4 +--- Vagrantfile | 5 +++++ setup.sh | 0 3 files changed, 6 insertions(+), 3 deletions(-) mode change 100644 => 100755 setup.sh diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 9459628c..b1d29e70 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -28,9 +28,7 @@ jobs: - name: Run tests run: | - cd .. - cp -r try ~ - cd ~/try + sudo ./setup.sh scripts/run_tests.sh - name: Upload script diff --git a/Vagrantfile b/Vagrantfile index 5972795a..44c72457 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -14,6 +14,7 @@ Vagrant.configure("2") do |config| sudo apt-get install -y git expect curl sudo chown -R vagrant:vagrant try cd try + ./setup.sh scripts/run_tests.sh " end @@ -27,6 +28,7 @@ Vagrant.configure("2") do |config| sudo apt-get install -y curl sudo chown -R vagrant:vagrant try cd try + ./setup.sh mkdir rustup ./try -D rustup \"curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y\" ls -lah rustup/upperdir/home/vagrant/.cargo/bin @@ -65,6 +67,7 @@ Vagrant.configure("2") do |config| sudo chown -R vagrant:vagrant /mnt/lv0/try cd /mnt/lv0/try + ./setup.sh scripts/run_tests.sh " end @@ -77,6 +80,7 @@ Vagrant.configure("2") do |config| sudo yum install -y git expect curl sudo chown -R vagrant:vagrant try cd try + ./setup.sh TRY_TOP=$(pwd) scripts/run_tests.sh " end @@ -89,6 +93,7 @@ Vagrant.configure("2") do |config| sudo yum install -y git expect curl sudo chown -R vagrant:vagrant try cd try + ./setup.sh TRY_TOP=$(pwd) scripts/run_tests.sh " end diff --git a/setup.sh b/setup.sh old mode 100644 new mode 100755 From f3704d4b738c06a7a96eae3118de57afb941e842 Mon Sep 17 00:00:00 2001 From: Ezri Zhu Date: Sat, 17 Feb 2024 03:27:51 +0000 Subject: [PATCH 05/18] install libcap2-bin on debian vagrants --- Vagrantfile | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/Vagrantfile b/Vagrantfile index 44c72457..1b3f766a 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -11,10 +11,10 @@ Vagrant.configure("2") do |config| debian.vm.provision "file", source: "./", destination: "/home/vagrant/try" debian.vm.provision "shell", privileged: false, inline: " sudo apt-get update - sudo apt-get install -y git expect curl + sudo apt-get install -y git expect curl libcap2-bin sudo chown -R vagrant:vagrant try cd try - ./setup.sh + sudo ./setup.sh scripts/run_tests.sh " end @@ -25,10 +25,10 @@ Vagrant.configure("2") do |config| debianrustup.vm.provision "file", source: "./", destination: "/home/vagrant/try" debianrustup.vm.provision "shell", privileged: false, inline: " sudo apt-get update - sudo apt-get install -y curl + sudo apt-get install -y curl libcap2-bin sudo chown -R vagrant:vagrant try cd try - ./setup.sh + sudo ./setup.sh mkdir rustup ./try -D rustup \"curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y\" ls -lah rustup/upperdir/home/vagrant/.cargo/bin @@ -41,7 +41,7 @@ Vagrant.configure("2") do |config| debianlvm.vm.provision "file", source: "./", destination: "/home/vagrant/try" debianlvm.vm.provision "shell", privileged: false, inline: " sudo apt-get update - sudo apt-get install -y git expect lvm2 mergerfs curl + sudo apt-get install -y git expect lvm2 mergerfs curl libcap2-bin # Create an image for the lvm disk sudo fallocate -l 2G /root/lvm_disk.img @@ -67,7 +67,7 @@ Vagrant.configure("2") do |config| sudo chown -R vagrant:vagrant /mnt/lv0/try cd /mnt/lv0/try - ./setup.sh + sudo ./setup.sh scripts/run_tests.sh " end @@ -80,7 +80,7 @@ Vagrant.configure("2") do |config| sudo yum install -y git expect curl sudo chown -R vagrant:vagrant try cd try - ./setup.sh + sudo ./setup.sh TRY_TOP=$(pwd) scripts/run_tests.sh " end @@ -93,7 +93,7 @@ Vagrant.configure("2") do |config| sudo yum install -y git expect curl sudo chown -R vagrant:vagrant try cd try - ./setup.sh + sudo ./setup.sh TRY_TOP=$(pwd) scripts/run_tests.sh " end From 0ed1827921c48dc6971f40e801994a01cb99f349 Mon Sep 17 00:00:00 2001 From: Ezri Zhu Date: Sat, 17 Feb 2024 09:46:00 +0000 Subject: [PATCH 06/18] fix(test/nomerger): add path for gidmapper --- test/missing_unionfs_mergerfs.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/test/missing_unionfs_mergerfs.sh b/test/missing_unionfs_mergerfs.sh index 38b3f305..a58c0142 100755 --- a/test/missing_unionfs_mergerfs.sh +++ b/test/missing_unionfs_mergerfs.sh @@ -27,14 +27,15 @@ try_workspace="$(mktemp -d)" cd "$try_workspace" || return 9 new_bin_dir="$(mktemp -d)" -mkdir "$new_bin_dir/usr" +mkdir -p "$new_bin_dir/usr/local" # -s makes symlinks cp -rs /usr/bin "$new_bin_dir/usr/bin" +cp -rs /usr/local/bin "$new_bin_dir/usr/local/bin" # Delete mergerfs and unionfs and set the new PATH to the temporary directory rm -f "$new_bin_dir/usr/bin/mergerfs" 2>/dev/null rm -f "$new_bin_dir/usr/bin/unionfs" 2>/dev/null echo hi >expected -PATH="$new_bin_dir/usr/bin" "$TRY" -y "echo hi" >target 2>/dev/null || return 1 +PATH="$new_bin_dir/usr/bin:$new_bin_dir/usr/local/bin" "$TRY" -y "echo hi" >target 2>/dev/null || return 1 diff -q expected target || return 2 From eb9c436cb7d3606541606ab7afbfebb0113b859c Mon Sep 17 00:00:00 2001 From: Ezri Zhu Date: Sat, 17 Feb 2024 10:15:45 +0000 Subject: [PATCH 07/18] test: gidmapping --- test/gidmapping.sh | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100755 test/gidmapping.sh diff --git a/test/gidmapping.sh b/test/gidmapping.sh new file mode 100755 index 00000000..a964584c --- /dev/null +++ b/test/gidmapping.sh @@ -0,0 +1,14 @@ +#!/bin/sh + +TRY_TOP="${TRY_TOP:-$(git rev-parse --show-toplevel --show-superproject-working-tree)}" +TRY="$TRY_TOP/try" + +control=$(id -G) +testing=$("$TRY" id -G) + +if [ "$control" = "$testing" ] +then + exit 0 +else + exit 1 +fi From 8bcf1e1fd4e5c22567b08f1c49a122efa5cbf548 Mon Sep 17 00:00:00 2001 From: Ezri Zhu Date: Sat, 17 Feb 2024 10:15:57 +0000 Subject: [PATCH 08/18] test: fileowner test, requires root --- test/fileowner.sh | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100755 test/fileowner.sh diff --git a/test/fileowner.sh b/test/fileowner.sh new file mode 100755 index 00000000..10896ded --- /dev/null +++ b/test/fileowner.sh @@ -0,0 +1,39 @@ +#!/bin/sh + +TRY_TOP="${TRY_TOP:-$(git rev-parse --show-toplevel --show-superproject-working-tree)}" +TRY="$TRY_TOP/try" + +cleanup() { + cd / + + if [ -d "$try_workspace" ] + then + rm -rf "$try_workspace" >/dev/null 2>&1 + fi + + if [ -f "$expected" ] + then + rm "$expected" + fi + + if [ -f "$target" ] + then + rm "$target" + fi +} + +trap 'cleanup' EXIT + +try_workspace="$(mktemp -d)" +cd "$try_workspace" || return 9 +touch test + +# Set up expected output +expected="$(mktemp)" +ls -l >"$expected" + +# Set up target output +target="$(mktemp)" + +sudo "$TRY" ls -l > "$target" || return 1 +diff -q "$expected" "$target" From 8bb213f8fc736468168bb51d63e827e350013263 Mon Sep 17 00:00:00 2001 From: Ezri Zhu Date: Sat, 17 Feb 2024 10:21:38 +0000 Subject: [PATCH 09/18] test/fileowner: clarify redirection for shellcheck --- test/fileowner.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/fileowner.sh b/test/fileowner.sh index 10896ded..8ecb4eb4 100755 --- a/test/fileowner.sh +++ b/test/fileowner.sh @@ -35,5 +35,5 @@ ls -l >"$expected" # Set up target output target="$(mktemp)" -sudo "$TRY" ls -l > "$target" || return 1 +sudo "$TRY" ls -l | tee "$target" || return 1 diff -q "$expected" "$target" From ba6a90615944203a95d5a86638447da34e539d1b Mon Sep 17 00:00:00 2001 From: Ezri Zhu Date: Sat, 17 Feb 2024 10:29:14 +0000 Subject: [PATCH 10/18] test: uidmapping, needs sudo --- test/uidmapping.sh | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100755 test/uidmapping.sh diff --git a/test/uidmapping.sh b/test/uidmapping.sh new file mode 100755 index 00000000..395a4000 --- /dev/null +++ b/test/uidmapping.sh @@ -0,0 +1,14 @@ +#!/bin/sh + +TRY_TOP="${TRY_TOP:-$(git rev-parse --show-toplevel --show-superproject-working-tree)}" +TRY="$TRY_TOP/try" + +control=$(id) +testing=$(sudo "$TRY" -u "$USER" id) + +if [ "$control" = "$testing" ] +then + exit 0 +else + exit 1 +fi From d6c62696ded5a448ea63b974ad078fdcf12ee997 Mon Sep 17 00:00:00 2001 From: Ezri Zhu Date: Tue, 20 Feb 2024 00:39:20 +0000 Subject: [PATCH 11/18] use /usr/bin for gidmapper, (default secure_path for sudo does not include /usr/loca/bin --- setup.sh | 6 +++--- test/gidmapping.sh | 2 +- test/missing_unionfs_mergerfs.sh | 5 ++--- 3 files changed, 6 insertions(+), 7 deletions(-) diff --git a/setup.sh b/setup.sh index 3038a418..679a3e9c 100755 --- a/setup.sh +++ b/setup.sh @@ -1,5 +1,5 @@ #!/bin/sh -wget https://github.com/ezrizhu/gidmapper/releases/download/0.0.3/gidmapper -O /usr/local/bin/gidmapper -chmod +x /usr/local/bin/gidmapper -setcap 'CAP_SETGID=ep' /usr/local/bin/gidmapper +wget https://github.com/ezrizhu/gidmapper/releases/download/0.0.3/gidmapper -O /usr/bin/gidmapper +chmod +x /usr/bin/gidmapper +setcap 'CAP_SETGID=ep' /usr/bin/gidmapper diff --git a/test/gidmapping.sh b/test/gidmapping.sh index a964584c..1415bbc8 100755 --- a/test/gidmapping.sh +++ b/test/gidmapping.sh @@ -4,7 +4,7 @@ TRY_TOP="${TRY_TOP:-$(git rev-parse --show-toplevel --show-superproject-working- TRY="$TRY_TOP/try" control=$(id -G) -testing=$("$TRY" id -G) +testing=$("$TRY" id -G 2>/dev/null) if [ "$control" = "$testing" ] then diff --git a/test/missing_unionfs_mergerfs.sh b/test/missing_unionfs_mergerfs.sh index a58c0142..38b3f305 100755 --- a/test/missing_unionfs_mergerfs.sh +++ b/test/missing_unionfs_mergerfs.sh @@ -27,15 +27,14 @@ try_workspace="$(mktemp -d)" cd "$try_workspace" || return 9 new_bin_dir="$(mktemp -d)" -mkdir -p "$new_bin_dir/usr/local" +mkdir "$new_bin_dir/usr" # -s makes symlinks cp -rs /usr/bin "$new_bin_dir/usr/bin" -cp -rs /usr/local/bin "$new_bin_dir/usr/local/bin" # Delete mergerfs and unionfs and set the new PATH to the temporary directory rm -f "$new_bin_dir/usr/bin/mergerfs" 2>/dev/null rm -f "$new_bin_dir/usr/bin/unionfs" 2>/dev/null echo hi >expected -PATH="$new_bin_dir/usr/bin:$new_bin_dir/usr/local/bin" "$TRY" -y "echo hi" >target 2>/dev/null || return 1 +PATH="$new_bin_dir/usr/bin" "$TRY" -y "echo hi" >target 2>/dev/null || return 1 diff -q expected target || return 2 From 0c8746125a1a31658199888d99ba40e48ef776de Mon Sep 17 00:00:00 2001 From: Ezri Zhu Date: Tue, 20 Feb 2024 01:01:47 +0000 Subject: [PATCH 12/18] fix id output to not print security context --- test/gidmapping.sh | 4 ++-- test/uidmapping.sh | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/test/gidmapping.sh b/test/gidmapping.sh index 1415bbc8..b9c5e331 100755 --- a/test/gidmapping.sh +++ b/test/gidmapping.sh @@ -3,8 +3,8 @@ TRY_TOP="${TRY_TOP:-$(git rev-parse --show-toplevel --show-superproject-working-tree)}" TRY="$TRY_TOP/try" -control=$(id -G) -testing=$("$TRY" id -G 2>/dev/null) +control=$(id -Gn) +testing=$("$TRY" -D "$(mktemp -d)" id -Gn 2>/dev/null) if [ "$control" = "$testing" ] then diff --git a/test/uidmapping.sh b/test/uidmapping.sh index 395a4000..93758b01 100755 --- a/test/uidmapping.sh +++ b/test/uidmapping.sh @@ -3,8 +3,8 @@ TRY_TOP="${TRY_TOP:-$(git rev-parse --show-toplevel --show-superproject-working-tree)}" TRY="$TRY_TOP/try" -control=$(id) -testing=$(sudo "$TRY" -u "$USER" id) +control=$(id -un) +testing=$(sudo "$TRY" -D "$(mktemp -d)" -u "$USER" id -un) if [ "$control" = "$testing" ] then From 6defb9b512017fd73004ad718ccb889bba38322a Mon Sep 17 00:00:00 2001 From: Ezri Zhu Date: Thu, 29 Feb 2024 04:07:07 +0000 Subject: [PATCH 13/18] add mapper --- util/mapper.c | 56 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 util/mapper.c diff --git a/util/mapper.c b/util/mapper.c new file mode 100644 index 00000000..b6181b80 --- /dev/null +++ b/util/mapper.c @@ -0,0 +1,56 @@ +#include +#include +#include +#include + +void* map_uids(void* args) { + char *targetpid = argv[1]; + char *outeruid = argv[2]; + char *inneruid = argv[3]; + char *uidcount = argv[4]; + char *outergid = argv[5]; + char *innergid = argv[6]; + char *gidcount = argv[7]; + + // Build path strings + char uid_path[100]; + sprintf(uid_path, "/proc/%s/uid_map", targetpid); + + char gid_path[100]; + sprintf(gid_path, "/proc/%s/gid_map", targetpid); + + // Build mapping strings + char uid_map[100]; + sprintf(uid_map, "%s %s %s", outeruid, inneruid, uidcount); + + char gid_map[100]; + sprintf(gid_map, "%s %s %s", outergid, innergid, gidcount); + + // Write mappings + FILE *uid_file = fopen(uid_path, "w"); + fprintf(uid_file, "%s", uid_map); + fclose(uid_file); + + FILE *gid_file = fopen(gid_path, "w"); + fprintf(gid_file, "%s", gid_map); + fclose(gid_file); + + return 0; +} + +int main(int argc, char* argv[]) { + + char *usage = "Usage: gidmapper targetpid outeruid inneruid uidcount outergid innergid gidcount"; + + if(argc < 8) { + fprintf(stderr, "%s\n", usage); + exit(1); + } + + pthread_t mapper_thread; + pthread_create(&mapper_thread, NULL, map_uids, NULL); + + pthread_join(mapper_thread, NULL); + + return 0; +} From 3495a17d0a904941fb63ef8cf27c7d388f266dc1 Mon Sep 17 00:00:00 2001 From: Ezri Zhu Date: Thu, 29 Feb 2024 04:55:41 +0000 Subject: [PATCH 14/18] remove docker support --- try | 6 ------ 1 file changed, 6 deletions(-) diff --git a/try b/try index 70e8e33b..d1bb1d4b 100755 --- a/try +++ b/try @@ -48,12 +48,6 @@ try() { ## because we have already checked if it valid. export SANDBOX_DIR - # If we're in a docker container, we want to mount tmpfs on sandbox_dir, #136 - if [ -f /.dockerenv ] && [ "$(id -u)" -eq "0" ] - then - mount -t tmpfs tmpfs "$SANDBOX_DIR" - fi - mkdir -p "$SANDBOX_DIR/upperdir" "$SANDBOX_DIR/workdir" "$SANDBOX_DIR/temproot" ## Find all the directories and mounts that need to be mounted From b98f7af2f8777100ecb012e7bedf5e4a683c6055 Mon Sep 17 00:00:00 2001 From: Ezri Zhu Date: Fri, 1 Mar 2024 18:27:40 +0000 Subject: [PATCH 15/18] lint fix --- util/{ => mapper}/mapper.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) rename util/{ => mapper}/mapper.c (93%) diff --git a/util/mapper.c b/util/mapper/mapper.c similarity index 93% rename from util/mapper.c rename to util/mapper/mapper.c index b6181b80..4e94502e 100644 --- a/util/mapper.c +++ b/util/mapper/mapper.c @@ -5,7 +5,7 @@ void* map_uids(void* args) { char *targetpid = argv[1]; - char *outeruid = argv[2]; + char *outeruid = argv[2]; char *inneruid = argv[3]; char *uidcount = argv[4]; char *outergid = argv[5]; @@ -15,7 +15,7 @@ void* map_uids(void* args) { // Build path strings char uid_path[100]; sprintf(uid_path, "/proc/%s/uid_map", targetpid); - + char gid_path[100]; sprintf(gid_path, "/proc/%s/gid_map", targetpid); @@ -26,7 +26,7 @@ void* map_uids(void* args) { char gid_map[100]; sprintf(gid_map, "%s %s %s", outergid, innergid, gidcount); - // Write mappings + // Write mappings FILE *uid_file = fopen(uid_path, "w"); fprintf(uid_file, "%s", uid_map); fclose(uid_file); @@ -34,23 +34,23 @@ void* map_uids(void* args) { FILE *gid_file = fopen(gid_path, "w"); fprintf(gid_file, "%s", gid_map); fclose(gid_file); - + return 0; } int main(int argc, char* argv[]) { char *usage = "Usage: gidmapper targetpid outeruid inneruid uidcount outergid innergid gidcount"; - + if(argc < 8) { fprintf(stderr, "%s\n", usage); - exit(1); + exit(1); } pthread_t mapper_thread; pthread_create(&mapper_thread, NULL, map_uids, NULL); pthread_join(mapper_thread, NULL); - + return 0; } From 91652068117ee1e90f1a644458be8a13ee748ba0 Mon Sep 17 00:00:00 2001 From: Ezri Zhu Date: Fri, 8 Mar 2024 20:09:23 +0000 Subject: [PATCH 16/18] edit toplevel-perms test to also check for user/group ownership --- test/toplevel-perms.sh | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/test/toplevel-perms.sh b/test/toplevel-perms.sh index 9f654a8a..be520111 100755 --- a/test/toplevel-perms.sh +++ b/test/toplevel-perms.sh @@ -34,9 +34,7 @@ cd "$try_workspace" || return 9 touch test cmd="$(mktemp)" -echo "find / -maxdepth 1 -print0 | xargs -0 ls -ld | awk '{print substr(\$1, 1, 10), \$9, \$10, \$11}' | grep -v 'proc' | grep -v 'swap'" > "$cmd" -# Use this after gidmapper to show user and group ownership -#echo "find / -maxdepth 1 -print0 | xargs -0 ls -ld | awk '{print substr(\$1, 1, 10), \$3, \$4, \$9, \$10, \$11}' | grep -v 'proc' | grep -v 'swap'" > "$cmd" +echo "find / -maxdepth 1 -print0 | xargs -0 ls -ld | awk '{print substr(\$1, 1, 10), \$3, \$4, \$9, \$10, \$11}' | grep -v 'proc' | grep -v 'swap'" > "$cmd" # Set up expected output expected="$(mktemp)" @@ -45,6 +43,5 @@ sh "$cmd" >"$expected" # Set up target output target="$(mktemp)" -"$TRY" "sh $cmd" > "$target" || return 1 -#diff -q "$expected" "$target" +sudo "$TRY" "sh $cmd" > "$target" || return 1 diff "$expected" "$target" From bf0dfaec7125df51d3d12e17881ccc051b571400 Mon Sep 17 00:00:00 2001 From: Ezri Zhu Date: Fri, 8 Mar 2024 20:42:38 +0000 Subject: [PATCH 17/18] shellcheck ignore --- test/toplevel-perms.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/test/toplevel-perms.sh b/test/toplevel-perms.sh index be520111..b0ec8560 100755 --- a/test/toplevel-perms.sh +++ b/test/toplevel-perms.sh @@ -43,5 +43,6 @@ sh "$cmd" >"$expected" # Set up target output target="$(mktemp)" +# shellcheck disable=SC2024 # sudo won't be used in > $target redirection sudo "$TRY" "sh $cmd" > "$target" || return 1 diff "$expected" "$target" From 3ad69cebde448a065a9f734f932fbd74a6e365e3 Mon Sep 17 00:00:00 2001 From: Ezri Zhu Date: Sat, 9 Mar 2024 04:59:51 +0000 Subject: [PATCH 18/18] test(toplevel-perms): excl. regular files #150 --- test/toplevel-perms.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/toplevel-perms.sh b/test/toplevel-perms.sh index b0ec8560..71584aed 100755 --- a/test/toplevel-perms.sh +++ b/test/toplevel-perms.sh @@ -34,7 +34,7 @@ cd "$try_workspace" || return 9 touch test cmd="$(mktemp)" -echo "find / -maxdepth 1 -print0 | xargs -0 ls -ld | awk '{print substr(\$1, 1, 10), \$3, \$4, \$9, \$10, \$11}' | grep -v 'proc' | grep -v 'swap'" > "$cmd" +echo "find / -maxdepth 1 -type d -print0 | xargs -0 ls -ld | awk '{print substr(\$1, 1, 10), \$9, \$10, \$11}' | grep -v '/proc' " > "$cmd" # Set up expected output expected="$(mktemp)"