Module: OsCtld::SwitchUser

Extended by:
OsCtl::Lib::Utils::System
Includes:
OsCtl::Lib::Utils::Log
Defined in:
lib/osctld/switch_user.rb

Constant Summary collapse

SYSTEM_PATH =
%w(/bin /usr/bin /sbin /usr/sbin /run/current-system/sw/bin)

Class Method Summary collapse

Class Method Details

.apply_prlimits(pid, prlimits) ⇒ Object

Apply process resource limits

Parameters:

  • pid (Integer)
  • prlimits (Hash)


90
91
92
93
94
95
96
97
98
99
# File 'lib/osctld/switch_user.rb', line 90

def self.apply_prlimits(pid, prlimits)
  prlimits.each do |name, limit|
    PrLimits.set(
      pid,
      PrLimits.resource_to_const(name),
      limit[:soft],
      limit[:hard]
    )
  end
end

.fork_and_switch_to(sysuser, ugid, homedir, cgroup_path, opts = {}, &block) ⇒ Object

Fork a process running as unprivileged user

Parameters:

  • sysuser (String)
  • ugid (Integer)
  • homedir (String)
  • cgroup_path (String)
  • opts (Hash) (defaults to: {})

    options

Options Hash (opts):

  • :chown_cgroups (Boolean) — default: true
  • :prlimits (Hash)


18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
# File 'lib/osctld/switch_user.rb', line 18

def self.fork_and_switch_to(sysuser, ugid, homedir, cgroup_path, opts = {}, &block)
  r, w = IO.pipe

  pid = Process.fork do
    w.close
    switch_to(sysuser, ugid, homedir, cgroup_path, opts)

    msg = r.readline.strip
    r.close

    if msg == 'ready'
      block.call
    else
      exit(false)
    end
  end

  r.close

  apply_prlimits(pid, opts[:prlimits]) if opts[:prlimits]

  w.puts('ready')
  w.close
  pid
end

.switch_to(sysuser, ugid, homedir, cgroup_path, opts = {}) ⇒ Object

Switch the current process to an unprivileged user



45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
# File 'lib/osctld/switch_user.rb', line 45

def self.switch_to(sysuser, ugid, homedir, cgroup_path, opts = {})
  chown_cgroups = opts.has_key?(:chown_cgroups) ? opts[:chown_cgroups] : true

  # Environment
  ENV.delete('XDG_SESSION_ID')
  ENV.delete('XDG_RUNTIME_DIR')

  ENV['HOME'] = homedir
  ENV['USER'] = sysuser

  # CGroups
  CGroup.subsystems.each do |subsys|
    CGroup.mkpath(
      subsys,
      cgroup_path.split('/'),
      attach: true,
      chown: chown_cgroups ? ugid : false
    )
  end

  # Switch
  Process.groups = [ugid]
  Process::Sys.setgid(ugid)
  Process::Sys.setuid(ugid)
end

.switch_to_system(sysuser, uid, gid, homedir) ⇒ Object

Switch the current process to an unprivileged users, but do not change cgroups.



73
74
75
76
77
78
79
80
81
82
83
84
85
# File 'lib/osctld/switch_user.rb', line 73

def self.switch_to_system(sysuser, uid, gid, homedir)
  # Environment
  ENV.delete('XDG_SESSION_ID')
  ENV.delete('XDG_RUNTIME_DIR')

  ENV['HOME'] = homedir
  ENV['USER'] = sysuser

  # Switch
  Process.groups = [gid]
  Process::Sys.setgid(gid)
  Process::Sys.setuid(uid)
end