about summary refs log tree commit diff
path: root/src/nix-setuid-helper/main.cc
diff options
context:
space:
mode:
authorEelco Dolstra <e.dolstra@tudelft.nl>2006-12-07T16·33+0000
committerEelco Dolstra <e.dolstra@tudelft.nl>2006-12-07T16·33+0000
commitf76fdb6d42a1b539fcf0b77d8efc5262283a19ea (patch)
tree9cb5d0d95f998ab6db232df78413eb54f5551c7a /src/nix-setuid-helper/main.cc
parentec23ecc64d40b7f65585c23592db123127967221 (diff)
* If not running as root, let the setuid helper kill the build user's
  processes before and after the build.

Diffstat (limited to 'src/nix-setuid-helper/main.cc')
-rw-r--r--src/nix-setuid-helper/main.cc37
1 files changed, 33 insertions, 4 deletions
diff --git a/src/nix-setuid-helper/main.cc b/src/nix-setuid-helper/main.cc
index e9ffcfd02323..dc0b2cd6cbd5 100644
--- a/src/nix-setuid-helper/main.cc
+++ b/src/nix-setuid-helper/main.cc
@@ -66,6 +66,15 @@ static uid_t nameToUid(const string & userName)
 }
 
 
+static void checkIfBuildUser(const StringSet & buildUsers,
+    const string & userName)
+{
+    if (buildUsers.find(userName) == buildUsers.end())
+        throw Error(format("user `%1%' is not a member of the build users group")
+            % userName);
+}
+
+
 /* Run `program' under user account `targetUser'.  `targetUser' should
    be a member of `buildUsersGroup'.  The ownership of the current
    directory is changed from the Nix user (uidNix) to the target
@@ -80,10 +89,9 @@ static void runBuilder(uid_t uidNix, gid_t gidBuildUsers,
     if (uidTargetUser == 0)
         throw Error("won't setuid to root");
 
-    /* Verify that the target user is a member of that group. */
-    if (buildUsers.find(targetUser) == buildUsers.end())
-        throw Error(format("user `%1%' is not a member of the build users group")
-            % targetUser);
+    /* Verify that the target user is a member of the build users
+       group. */
+    checkIfBuildUser(buildUsers, targetUser);
     
     /* Chown the current directory, *if* it is owned by the Nix
        account.  The idea is that the current directory is the
@@ -118,6 +126,21 @@ static void runBuilder(uid_t uidNix, gid_t gidBuildUsers,
 }
 
 
+void killBuildUser(gid_t gidBuildUsers,
+    const StringSet & buildUsers, const string & userName)
+{
+    uid_t uid = nameToUid(userName);
+    
+    /* Verify that the user whose processes we are to kill is a member
+       of the build users group. */
+    checkIfBuildUser(buildUsers, userName);
+
+    assert(uid != 0);
+
+    killUser(uid);
+}
+
+
 #ifndef NIX_SETUID_CONFIG_FILE
 #define NIX_SETUID_CONFIG_FILE "/etc/nix-setuid.conf"
 #endif
@@ -204,6 +227,12 @@ static void run(int argc, char * * argv)
         secureChown(-1, gidBuildUsers, uidNix, gidBuildUsers, argv[2]);
     }
 
+    else if (command == "kill") {
+        /* Syntax: nix-setuid-helper kill <username> */
+        if (argc != 3) throw Error("missing user name");
+        killBuildUser(gidBuildUsers, buildUsers, argv[2]);
+    }
+
     else throw Error ("invalid command");
 }