ssh/tailssh: always assert our final uid/gid

Move the assertions about our post-privilege-drop UID/GID out of the
conditional if statement and always run them; I haven't been able to
find a case where this would fail. Defensively add an envknob to disable
this feature, however, which we can remove after the 1.40 release.

Updates #7616

Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: Iaec3dba9248131920204bd6c6d34bbc57a148185
pull/7664/head
Andrew Dunham 2 years ago
parent 9de8287d47
commit 13377e6458

@ -303,9 +303,19 @@ func beIncubator(args []string) error {
return err return err
} }
// TODO(andrew-d): verify that this works in more configurations before const (
// enabling by default. // This controls whether we assert that our privileges were dropped
const assertDropPrivileges = false // using geteuid/getegid; it's a const and not an envknob because the
// incubator doesn't see the parent's environment.
//
// TODO(andrew): remove this const and always do this after sufficient
// testing, e.g. the 1.40 release
assertPrivilegesWereDropped = true
// TODO(andrew-d): verify that this works in more configurations before
// enabling by default.
assertPrivilegesWereDroppedByAttemptingToUnDrop = false
)
// dropPrivileges contains all the logic for dropping privileges to a different // dropPrivileges contains all the logic for dropping privileges to a different
// UID, GID, and set of supplementary groups. This function is // UID, GID, and set of supplementary groups. This function is
@ -319,7 +329,7 @@ const assertDropPrivileges = false
// go test -c ./ssh/tailssh/ && sudo ./tailssh.test -test.v -test.run TestDropPrivileges // go test -c ./ssh/tailssh/ && sudo ./tailssh.test -test.v -test.run TestDropPrivileges
func dropPrivileges(logf logger.Logf, wantUid, wantGid int, supplementaryGroups []int) error { func dropPrivileges(logf logger.Logf, wantUid, wantGid int, supplementaryGroups []int) error {
fatalf := func(format string, args ...any) { fatalf := func(format string, args ...any) {
logf(format, args...) logf("[unexpected] error dropping privileges: "+format, args...)
os.Exit(1) os.Exit(1)
} }
@ -380,25 +390,25 @@ func dropPrivileges(logf logger.Logf, wantUid, wantGid int, supplementaryGroups
// cannot reset the it back to our original values, and that the // cannot reset the it back to our original values, and that the
// current egid/euid are the expected values after we change // current egid/euid are the expected values after we change
// everything; if not, we exit the process. // everything; if not, we exit the process.
if assertDropPrivileges { if assertPrivilegesWereDroppedByAttemptingToUnDrop {
if egid != wantGid { if egid != wantGid {
if err := syscall.Setegid(egid); err == nil { if err := syscall.Setegid(egid); err == nil {
fatalf("unexpectedly able to set egid back to %d", egid) fatalf("able to set egid back to %d", egid)
} }
} }
if euid != wantUid { if euid != wantUid {
if err := syscall.Seteuid(euid); err == nil { if err := syscall.Seteuid(euid); err == nil {
fatalf("unexpectedly able to set euid back to %d", euid) fatalf("able to set euid back to %d", euid)
} }
} }
}
if assertPrivilegesWereDropped {
if got := os.Getegid(); got != wantGid { if got := os.Getegid(); got != wantGid {
fatalf("got egid=%d, want %d", got, wantGid) fatalf("got egid=%d, want %d", got, wantGid)
} }
if got := os.Geteuid(); got != wantUid { if got := os.Geteuid(); got != wantUid {
fatalf("got euid=%d, want %d", got, wantUid) fatalf("got euid=%d, want %d", got, wantUid)
} }
// TODO(andrew-d): assert that our supplementary groups are correct // TODO(andrew-d): assert that our supplementary groups are correct
} }

Loading…
Cancel
Save