1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
use crate::args::DaemonArgs;
use crate::errors::*;
use caps::CapSet;
use nix::unistd::{Gid, Uid};
use std::env;
use std::fs;
use std::os::unix::fs::MetadataExt;
use std::path::Path;
fn chroot(path: &Path) -> Result<()> {
let metadata = fs::metadata(path)?;
if !metadata.is_dir() {
bail!("chroot target is no directory");
}
if metadata.uid() != 0 {
bail!("chroot target isn't owned by root");
}
if metadata.mode() & 0o22 != 0 {
bail!("chroot is writable by group or world");
}
nix::unistd::chroot(path)?;
env::set_current_dir("/")?;
Ok(())
}
fn drop_caps() -> Result<()> {
debug!("Permanently clearing capability sets");
caps::clear(None, CapSet::Effective)
.map_err(|err| anyhow!("Failed to clear effective capability set: {}", err))?;
caps::clear(None, CapSet::Permitted)
.map_err(|err| anyhow!("Failed to clear permitted capability set: {}", err))?;
Ok(())
}
pub fn init(args: &DaemonArgs) -> Result<()> {
let user = if let Some(name) = &args.user {
debug!("Resolving uid for {:?}", name);
let user = users::get_user_by_name(&name)
.ok_or_else(|| anyhow!("Failed to look up user: {:?}", name))?;
let uid = Uid::from_raw(user.uid());
let gid = Gid::from_raw(user.primary_group_id());
debug!("Resolved {:?} => {}:{}", name, uid, gid);
Some((uid, gid))
} else {
None
};
if args.chroot {
let path = env::current_dir().context("Failed to determine current directory")?;
debug!("Chrooting into {:?}", path);
chroot(&path).context("Failed to chroot")?;
}
if let Some((uid, gid)) = user {
debug!("Dropping uid:gid to {}:{}", uid, gid);
nix::unistd::setgroups(&[]).context("Failed to clear supplementary groups")?;
nix::unistd::setgid(gid).context("Failed to drop gid")?;
nix::unistd::setuid(uid).context("Failed to drop uid")?;
}
drop_caps()?;
Ok(())
}