diff options
| author | Eelco Dolstra <e.dolstra@tudelft.nl> | 2006-12-07T16·33+0000 |
|---|---|---|
| committer | Eelco Dolstra <e.dolstra@tudelft.nl> | 2006-12-07T16·33+0000 |
| commit | f76fdb6d42a1b539fcf0b77d8efc5262283a19ea (patch) | |
| tree | 9cb5d0d95f998ab6db232df78413eb54f5551c7a /src/libstore/build.cc | |
| parent | ec23ecc64d40b7f65585c23592db123127967221 (diff) | |
* If not running as root, let the setuid helper kill the build user's
processes before and after the build.
Diffstat (limited to 'src/libstore/build.cc')
| -rw-r--r-- | src/libstore/build.cc | 63 |
1 files changed, 36 insertions, 27 deletions
diff --git a/src/libstore/build.cc b/src/libstore/build.cc index 7ae0dd4ec4..03a708b747 100644 --- a/src/libstore/build.cc +++ b/src/libstore/build.cc @@ -351,6 +351,8 @@ public: void acquire(); void release(); + void kill(); + string getUser() { return user; } uid_t getUID() { return uid; } uid_t getGID() { return gid; } @@ -452,29 +454,8 @@ void UserLock::release() } -bool amPrivileged() -{ - return geteuid() == 0; -} - - -bool haveBuildUsers() -{ - return querySetting("build-users-group", "") != ""; -} - - -static void killUserWrapped(uid_t uid) -{ - if (amPrivileged()) - killUser(uid); - else - /* !!! TODO */ - printMsg(lvlError, "must kill"); -} - - -void getOwnership(const Path & path) +static void runSetuidHelper(const string & command, + const string & arg) { string program = nixLibexecDir + "/nix-setuid-helper"; @@ -491,8 +472,8 @@ void getOwnership(const Path & path) std::vector<const char *> args; /* careful with c_str()! */ args.push_back(program.c_str()); - args.push_back("get-ownership"); - args.push_back(path.c_str()); + args.push_back(command.c_str()); + args.push_back(arg.c_str()); args.push_back(0); execve(program.c_str(), (char * *) &args[0], 0); @@ -514,6 +495,34 @@ void getOwnership(const Path & path) } +void UserLock::kill() +{ + assert(enabled()); + if (amPrivileged()) + killUser(uid); + else + runSetuidHelper("kill", user); +} + + +bool amPrivileged() +{ + return geteuid() == 0; +} + + +bool haveBuildUsers() +{ + return querySetting("build-users-group", "") != ""; +} + + +void getOwnership(const Path & path) +{ + runSetuidHelper("get-ownership", path); +} + + static void deletePathWrapped(const Path & path) { /* When using build users and we're not root, we may not have @@ -850,7 +859,7 @@ void DerivationGoal::buildDone() open and modifies them after they have been chown'ed to root. */ if (buildUser.enabled()) - killUserWrapped(buildUser.getUID()); + buildUser.kill(); /* Close the read side of the logger pipe. */ logPipe.readSide.close(); @@ -1332,7 +1341,7 @@ void DerivationGoal::startBuilder() /* Make sure that no other processes are executing under this uid. */ - killUserWrapped(buildUser.getUID()); + buildUser.kill(); /* Change ownership of the temporary build directory, if we're root. If we're not root, then the setuid helper will do it |