rudefox/burrow-pi-img
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Use setuidgids instead of sudo -u for setting groups

Browse Source
This commit is contained in:
Peter Johnson 2018-11-30 19:58:54 -08:00
parent d0c39e088b
commit e2e18ddbc0
No known key found for this signature in database
GPG Key ID: D39DD4DA7D41E329
5 changed files with 57 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
copyextfiles.sh
View File

@ -2,6 +2,11 @@
mkdir -p stage2/01-sys-tweaks/extfiles mkdir -p stage2/01-sys-tweaks/extfiles
#
# tools
#
cp tools/setuidgids stage2/01-sys-tweaks/extfiles/
# #
# openjdk # openjdk
# #

2
stage2/01-sys-tweaks/01-run.sh
View File

@ -16,6 +16,8 @@ install -m 644 files/raspi-blacklist.conf "${ROOTFS_DIR}/etc/modprobe.d/"
install -m 644 files/frc.json "${ROOTFS_DIR}/boot/" install -m 644 files/frc.json "${ROOTFS_DIR}/boot/"
install -m 755 extfiles/setuidgids "${ROOTFS_DIR}/usr/local/bin/"
install -m 755 -o 1000 -g 1000 extfiles/multiCameraServer "${ROOTFS_DIR}/home/pi/" install -m 755 -o 1000 -g 1000 extfiles/multiCameraServer "${ROOTFS_DIR}/home/pi/"
cat extfiles/jdk_11.0.1-strip.tar.gz | sh -c "mkdir -p ${ROOTFS_DIR}/usr/lib/jvm && cd ${ROOTFS_DIR}/usr/lib/jvm/ && tar xzf - --exclude=\*.diz --exclude=src.zip --transform=s/^jdk/jdk-11.0.1/" cat extfiles/jdk_11.0.1-strip.tar.gz | sh -c "mkdir -p ${ROOTFS_DIR}/usr/lib/jvm && cd ${ROOTFS_DIR}/usr/lib/jvm/ && tar xzf - --exclude=\*.diz --exclude=src.zip --transform=s/^jdk/jdk-11.0.1/"

2
stage2/01-sys-tweaks/files/camera_run
View File

@ -1,4 +1,4 @@
#!/bin/sh #!/bin/sh
sleep 1 sleep 1
cd /home/pi cd /home/pi
exec pgrphack sudo -u pi /usr/local/bin/netconsoleServer -u ./runCamera exec pgrphack /usr/local/bin/setuidgids pi /usr/local/bin/netconsoleServer -u ./runCamera

2
tools/Makefile Normal file
View File

@ -0,0 +1,2 @@
setuidgids: setuidgids.c
arm-raspbian9-linux-gnueabihf-gcc -O -Wall -D_GNU_SOURCE -o $@ $<

47
tools/setuidgids.c Normal file
View File

@ -0,0 +1,47 @@
#include <sys/types.h>
#include <pwd.h>
#include <unistd.h>
#include <grp.h>
#include <stdio.h>
#include <stdlib.h>
static int prot_gid(gid_t gid)
{
if (setgroups(1,&gid) == -1) return -1;
return setgid(gid); /* _should_ be redundant, but on some systems it isn't */
}
const char *account;
struct passwd *pw;
int main(int argc, char **argv, char **envp)
{
account = *++argv;
if (!account || !*++argv) {
fprintf(stderr, "setuidgids: usage: setuidgids account child");
exit(EXIT_FAILURE);
}
pw = getpwnam(account);
if (!pw) {
fprintf(stderr, "setuidgids: FATAL: unknown account %s", account);
return EXIT_FAILURE;
}
if (prot_gid(pw->pw_gid) == -1) {
fprintf(stderr, "setuidgids: FATAL: unable to setgid\n");
return EXIT_FAILURE;
}
if (initgroups(pw->pw_name, pw->pw_gid) == -1) {
fprintf(stderr, "setuidgids: FATAL: unable to initgroups\n");
return EXIT_FAILURE;
}
if (setuid(pw->pw_uid) == -1) {
fprintf(stderr, "setuidgids: FATAL: unable to setuid\n");
return EXIT_FAILURE;
}
execvpe(*argv,argv,envp);
fprintf(stderr, "setuidgids: FATAL: unable to run %s\n", *argv);
return EXIT_FAILURE;
}