From 004393bdc2f3df5d85da88819bf47d72a883f7bb Mon Sep 17 00:00:00 2001
From: Rob Austein <sra@hactrn.net>
Date: Mon, 21 Mar 2016 02:39:08 +0000
Subject: Rework rpkic setuid handling to something a bit more robust.

svn path=/branches/tk705/; revision=6322
---
 ca/rpkic | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

(limited to 'ca/rpkic')

diff --git a/ca/rpkic b/ca/rpkic
index 2e215095..598c075f 100755
--- a/ca/rpkic
+++ b/ca/rpkic
@@ -15,19 +15,32 @@ if __name__ == "__main__":
     import sys
     import rpki.autoconf
 
+    argv = [sys.executable, os.path.abspath(sys.argv[0])]
+    argv.extend(sys.argv[1:])
+
+    already_ran_sudo = os.getenv("SUDO_COMMAND") == " ".join(argv)
+
     try:
         uid = pwd.getpwnam(rpki.autoconf.RPKI_USER).pw_uid
     except:
         uid = None
 
-    if uid is None or uid == os.geteuid():
+    euid = os.geteuid()
+
+    if already_ran_sudo or uid is None or uid == euid or euid == 0:
+
+        if not already_ran_sudo:
+            for name in ("SUDO_COMMAND", "SUDO_GID", "SUDO_UID", "SUDO_USER"):
+                if name in os.environ:
+                    del os.environ[name]
+
         import rpki.rpkic
         rpki.rpkic.main()
 
     else:
+
         try:
-            argv = [rpki.autoconf.SUDO, "-u", rpki.autoconf.RPKI_USER, sys.executable]
-            argv.extend(os.path.abspath(a) if i == 0 else a for i, a in enumerate(sys.argv))
+            argv.insert(0, rpki.autoconf.SUDO)
             os.execv(argv[0], argv)
             sys.exit("rpkic startup failure, no exception so don't know why, sorry")
 
-- 
cgit v1.2.3