diff options
Diffstat (limited to 'ca/rpkic')
| -rwxr-xr-x | ca/rpkic | 59 |
1 files changed, 43 insertions, 16 deletions
@@ -1,21 +1,48 @@ #!/usr/bin/env python -# $Id$ +# Using a Python script to run sudo to run a Python script is a bit +# silly, but it lets us use rpki.autoconf to locate sudo, lets us +# avoid needing a custom setuid wrapper, lets us avoid another pass +# through the adventures of shell quoting and tokenization, and +# generally is just a lot simpler to implement correctly. # -# Copyright (C) 2010-2011 Internet Systems Consortium ("ISC") -# -# Permission to use, copy, modify, and distribute this software for any -# purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. -# -# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -# PERFORMANCE OF THIS SOFTWARE. +# OK, it's probably a few milliseconds slower. Big deal. if __name__ == "__main__": - import rpki.rpkic - rpki.rpkic.main() + + import os + import pwd + import sys + import rpki.autoconf + + argv = [sys.executable, os.path.abspath(sys.argv[0])] + argv.extend(sys.argv[1:]) + + already_ran_sudo = os.getenv("SUDO_COMMAND") == " ".join(argv) + + euid = os.geteuid() + + try: + puid = pwd.getpwnam(rpki.autoconf.RPKI_USER).pw_uid + except KeyError: + puid = None + print "Warning: User \"{}\" not found, not dropping privileges".format(rpki.autoconf.RPKI_USER) + + if puid is not None and already_ran_sudo: + try: + os.setgid( int(os.environ["SUDO_GID"])) + os.setreuid(int(os.environ["SUDO_UID"]), puid) + except OSError as e: + sys.exit("Couldn't drop privs to user {}: {!s}".format(rpki.autoconf.RPKI_USER, e)) + + if already_ran_sudo or puid in (None, euid): + import rpki.rpkic + rpki.rpkic.main() + + else: + try: + argv.insert(0, rpki.autoconf.SUDO) + os.execv(argv[0], argv) + sys.exit("rpkic startup failure, no exception so don't know why, sorry") + except Exception as e: + sys.exit("Couldn't exec sudo python rpkic: {!s}".format(e)) |