diff options
| author | bors[bot] <26634292+bors[bot]@users.noreply.github.com> | 2020-09-01 17:59:37 +0000 |
|---|---|---|
| committer | GitHub <[email protected]> | 2020-09-01 17:59:37 +0000 |
| commit | f7dc6bafa5edadcaba87ffee9bb33aa82a848792 (patch) | |
| tree | b743bce4896e62fa90fa4583834df90c1bbf8d37 | |
| parent | 960c0a4f8569e10ad318fd2e9d266345ddff4fa3 (diff) | |
| parent | db42004864662a01b1d8a325f60f9a903e0f769c (diff) | |
Merge #357
357: Add checks to exec from user r=48d90782 a=48d90782
resolves #332
Co-authored-by: Valery Piashchynski <[email protected]>
| -rw-r--r-- | osutil/isolate.go | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/osutil/isolate.go b/osutil/isolate.go index 387df905..9eaf8a44 100644 --- a/osutil/isolate.go +++ b/osutil/isolate.go @@ -3,6 +3,8 @@ package osutil import ( + "fmt" + "os" "os/exec" "os/user" "strconv" @@ -14,6 +16,7 @@ func IsolateProcess(cmd *exec.Cmd) { cmd.SysProcAttr = &syscall.SysProcAttr{Setpgid: true, Pgid: 0} } +// ExecuteFromUser may work only if run RR under root user func ExecuteFromUser(cmd *exec.Cmd, u string) error { usr, err := user.Lookup(u) if err != nil { @@ -30,6 +33,20 @@ func ExecuteFromUser(cmd *exec.Cmd, u string) error { return err } + // For more information: + // https://www.man7.org/linux/man-pages/man7/user_namespaces.7.html + // https://www.man7.org/linux/man-pages/man7/namespaces.7.html + if _, err := os.Stat("/proc/self/ns/user"); err != nil { + if os.IsNotExist(err) { + return fmt.Errorf("kernel doesn't support user namespaces") + } + if os.IsPermission(err) { + return fmt.Errorf("unable to test user namespaces due to permissions") + } + + return fmt.Errorf("failed to stat /proc/self/ns/user: %v", err) + } + cmd.SysProcAttr.Credential = &syscall.Credential{ Uid: uint32(usrI32), Gid: uint32(grI32), |