From f7b99a39152694f72104b95e6a30e245248c75d7 Mon Sep 17 00:00:00 2001 From: Joseph Richey Date: Tue, 24 Oct 2017 13:19:08 -0700 Subject: crypto: Merge with security package --- security/privileges.go | 99 -------------------------------------------------- 1 file changed, 99 deletions(-) delete mode 100644 security/privileges.go (limited to 'security/privileges.go') diff --git a/security/privileges.go b/security/privileges.go deleted file mode 100644 index 7d69da9..0000000 --- a/security/privileges.go +++ /dev/null @@ -1,99 +0,0 @@ -/* - * privileges.go - Functions for managing users and privileges. - * - * Copyright 2017 Google Inc. - * Author: Joe Richey (joerichey@google.com) - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy of - * the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT - * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the - * License for the specific language governing permissions and limitations under - * the License. - */ - -// Package security manages: -// - Cache clearing (cache.go) -// - Keyring Operations (keyring.go) -// - Privilege manipulation (privileges.go) -// - Maintaining the link between the root and user keyrings. -package security - -import ( - "log" - "os" - "os/user" - - "github.com/pkg/errors" - "golang.org/x/sys/unix" - - "github.com/google/fscrypt/util" -) - -// SetThreadPrivileges temporarily drops the privileges of the current thread to -// have the effective uid/gid of the target user. The privileges can be changed -// again with another call to SetThreadPrivileges. -func SetThreadPrivileges(target *user.User) error { - euid := util.AtoiOrPanic(target.Uid) - egid := util.AtoiOrPanic(target.Gid) - if os.Geteuid() == euid { - log.Printf("Privileges already set to %q", target.Username) - return nil - } - log.Printf("Setting privileges to %q", target.Username) - - // If setting privs to root, we want to set the uid first, so we will - // then have the necessary permissions to perform the other actions. - if euid == 0 { - if err := setUids(-1, euid); err != nil { - return err - } - } - if err := setGids(-1, egid); err != nil { - return err - } - if err := setGroups(target); err != nil { - return err - } - // If not setting privs to root, we want to avoid dropping the uid - // util the very end. - if euid != 0 { - if err := setUids(-1, euid); err != nil { - return err - } - } - return nil -} - -func setUids(ruid, euid int) error { - err := unix.Setreuid(ruid, euid) - log.Printf("Setreuid(%d, %d) = %v", ruid, euid, err) - return errors.Wrapf(err, "setting uids") -} - -func setGids(rgid, egid int) error { - err := unix.Setregid(rgid, egid) - log.Printf("Setregid(%d, %d) = %v", rgid, egid, err) - return errors.Wrapf(err, "setting gids") -} - -func setGroups(target *user.User) error { - groupStrings, err := target.GroupIds() - if err != nil { - return util.SystemError(err.Error()) - } - - gids := make([]int, len(groupStrings)) - for i, groupString := range groupStrings { - gids[i] = util.AtoiOrPanic(groupString) - } - - err = unix.Setgroups(gids) - log.Printf("Setgroups(%v) = %v", gids, err) - return errors.Wrapf(err, "setting groups") -} -- cgit v1.2.3