openjd-sessions 0.2.0

Open Job Description sessions — local job execution runtime
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181

// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
// Copyright by contributors to this project.
// SPDX-License-Identifier: (Apache-2.0 OR MIT)

//! Embedded cross-user helper binary — written to disk at session start.
//!
//! The helper is placed in a randomized subdirectory with restrictive
//! permissions so that the job user can execute the binary but cannot
//! modify or replace it.
//!
//! - POSIX: directory and binary are 0o750 (owner rwx, group r-x),
//!   owned by the process user with group set to the session user's group.
//! - Windows: directory and binary have an explicit DACL granting the
//!   process user Full Control and the session user Read & Execute.
//!   The session user's ACE intentionally omits `FILE_WRITE_DATA`,
//!   `FILE_APPEND_DATA`, `DELETE`, and `FILE_DELETE_CHILD` so the job
//!   user cannot overwrite, replace, or delete the helper binary.

use std::path::{Path, PathBuf};

use crate::error::SessionError;
use crate::session_user::SessionUser;

const HELPER_BINARY: &[u8] = include_bytes!(concat!(env!("OUT_DIR"), "/openjd_helper"));

/// Create a restricted helpers directory inside `working_dir`.
///
/// Returns the path to the new directory.
///
/// - On POSIX: the directory is owned by the process user with group set
///   to the session user's group and mode 0o750 — the job user can
///   traverse and read (needed for `sudo -u <user> -i` to execute the
///   helper binary) but cannot write or modify files.
/// - On Windows: the directory's DACL grants the process user Full
///   Control and the session user Read & Execute (inheritable). This
///   prevents the job user from modifying or deleting the helper binary
///   that will be written inside, even though the parent session working
///   directory's inherited DACL grants the session user Modify.
pub(crate) fn create_helpers_dir(
    working_dir: &Path,
    user: Option<&dyn SessionUser>,
) -> Result<PathBuf, SessionError> {
    let dir = working_dir.join(format!(".helpers-{}", uuid::Uuid::new_v4().simple()));

    #[cfg(unix)]
    {
        // Always create at 0o700 (owner-only). For cross-user, we widen to
        // 0o750 only *after* chown sets the correct group — so the group
        // never has access until it's the right group.
        nix::unistd::mkdir(&dir, nix::sys::stat::Mode::from_bits_truncate(0o700)).map_err(|e| {
            SessionError::WorkingDirectory {
                path: dir.clone(),
                source: std::io::Error::from(e),
            }
        })?;

        if let Some(u) = user.filter(|u| !u.is_process_user()) {
            if let Ok(Some(grp)) = nix::unistd::Group::from_name(u.group()) {
                nix::unistd::chown(&dir, None, Some(grp.gid)).map_err(|e| {
                    SessionError::PathPermissions {
                        path: dir.display().to_string(),
                        reason: e.to_string(),
                    }
                })?;
            }
            // Now that the group is correct, grant group r-x.
            use std::os::unix::fs::PermissionsExt;
            std::fs::set_permissions(&dir, std::fs::Permissions::from_mode(0o750)).map_err(
                |source| SessionError::WorkingDirectory {
                    path: dir.clone(),
                    source,
                },
            )?;
        }
    }

    #[cfg(windows)]
    {
        std::fs::create_dir(&dir).map_err(|source| SessionError::WorkingDirectory {
            path: dir.clone(),
            source,
        })?;

        // Lock down the DACL for cross-user sessions. Without this the
        // directory inherits the session working dir's DACL, which grants
        // the session user Modify — enough to replace or delete the helper
        // binary written inside. We explicitly set, with inheritance from
        // the parent severed:
        //   process user → Full Control (inheritable to children)
        //   session user → Read & Execute only (inheritable to children)
        if let Some(u) = user.filter(|u| !u.is_process_user()) {
            let process_user =
                crate::win32::get_process_user().map_err(|e| SessionError::PathPermissions {
                    path: dir.display().to_string(),
                    reason: format!("Could not determine process user: {e}"),
                })?;
            crate::win32_permissions::set_permissions_protected(
                &dir.to_string_lossy(),
                &[process_user.as_str()],
                &[],
                &[u.user()],
            )
            .map_err(|reason| SessionError::PathPermissions {
                path: dir.display().to_string(),
                reason,
            })?;
        }
    }

    Ok(dir)
}

/// Write the embedded helper binary to `helpers_dir/<random>[.exe]`, set
/// appropriate permissions, and return the path.
///
/// The binary name is randomized to prevent prediction. Permissions are
/// tightened so the job user can execute the binary but cannot modify or
/// replace it:
///
/// - POSIX: 0o750 (owner rwx, group r-x), group = session user's group.
/// - Windows: explicit DACL with process user Full Control and session
///   user Read & Execute. This is defense-in-depth over the helpers
///   directory's DACL — if the directory's DACL is ever weakened, the
///   binary itself still refuses session-user writes.
pub(crate) fn write_helper(
    helpers_dir: &Path,
    user: &dyn SessionUser,
) -> Result<PathBuf, SessionError> {
    let ext = if cfg!(windows) { ".exe" } else { "" };
    let filename = format!("h-{}{}", uuid::Uuid::new_v4().simple(), ext);
    let path = helpers_dir.join(filename);
    std::fs::write(&path, HELPER_BINARY).map_err(|source| SessionError::WorkingDirectory {
        path: path.clone(),
        source,
    })?;

    #[cfg(unix)]
    {
        use std::os::unix::fs::PermissionsExt;
        if let Ok(Some(grp)) = nix::unistd::Group::from_name(user.group()) {
            nix::unistd::chown(&path, None, Some(grp.gid)).map_err(|e| {
                SessionError::PathPermissions {
                    path: path.display().to_string(),
                    reason: e.to_string(),
                }
            })?;
        }
        std::fs::set_permissions(&path, std::fs::Permissions::from_mode(0o750)).map_err(
            |source| SessionError::WorkingDirectory {
                path: path.clone(),
                source,
            },
        )?;
    }

    #[cfg(windows)]
    {
        if !user.is_process_user() {
            let process_user =
                crate::win32::get_process_user().map_err(|e| SessionError::PathPermissions {
                    path: path.display().to_string(),
                    reason: format!("Could not determine process user: {e}"),
                })?;
            // Protected DACL: no inheritance from the helpers directory,
            // so even if something weakens that dir's DACL the binary is
            // still enforced as read-only for the session user.
            crate::win32_permissions::set_permissions_protected(
                &path.to_string_lossy(),
                &[process_user.as_str()],
                &[],
                &[user.user()],
            )
            .map_err(|reason| SessionError::PathPermissions {
                path: path.display().to_string(),
                reason,
            })?;
        }
    }

    Ok(path)
}