diff options
| author | Rob Austein <sra@hactrn.net> | 2016-03-30 16:38:03 +0000 |
|---|---|---|
| committer | Rob Austein <sra@hactrn.net> | 2016-03-30 16:38:03 +0000 |
| commit | 058578b8919da35432b8cd95b06c9e36db11feaf (patch) | |
| tree | ad1f54675b633ca8d5212f5aa3463130ed1f0d3f /ca | |
| parent | bc6e06a3aedc3108eed6763ea1624c791e981e08 (diff) | |
Clean up and simplify rpkic privilege-dropping code. All sudo voodoo
is now handled in the outermost script, before rpki.rpkic is even
loaded; rpki.rpkic just assumes that euid and ruid have been set up
correctly and swaps them temporarily when it needs to do file I/O.
svn path=/branches/tk705/; revision=6340
Diffstat (limited to 'ca')
| -rwxr-xr-x | ca/rpkic | 24 |
1 files changed, 12 insertions, 12 deletions
@@ -20,29 +20,29 @@ if __name__ == "__main__": already_ran_sudo = os.getenv("SUDO_COMMAND") == " ".join(argv) - try: - uid = pwd.getpwnam(rpki.autoconf.RPKI_USER).pw_uid - except: - uid = None - euid = os.geteuid() - if already_ran_sudo or uid is None or uid == euid or euid == 0: + try: + puid = pwd.getpwnam(rpki.autoconf.RPKI_USER).pw_uid + except KeyError: + puid = None + print "Warning: User \"{}\" not found, not dropping privileges".format(rpki.autoconf.RPKI_USER) - if not already_ran_sudo: - for name in ("SUDO_COMMAND", "SUDO_GID", "SUDO_UID", "SUDO_USER"): - if name in os.environ: - del os.environ[name] + if puid is not None and already_ran_sudo: + try: + os.setgid( int(os.environ["SUDO_GID"])) + os.setreuid(int(os.environ["SUDO_UID"]), puid) + except OSError as e: + sys.exit("Couldn't drop privs to user {}: {!s}".format(rpki.autoconf.RPKI_USER, e)) + if already_ran_sudo or puid in (None, euid): import rpki.rpkic rpki.rpkic.main() else: - try: argv.insert(0, rpki.autoconf.SUDO) os.execv(argv[0], argv) sys.exit("rpkic startup failure, no exception so don't know why, sorry") - except Exception as e: sys.exit("Couldn't exec sudo python rpkic: {!s}".format(e)) |