Use user shell instead of /bin/sh

cloudfoundry-attic · Mar 18, 2013 · d0e5839 · d0e5839
1 parent 872968b
commit d0e5839
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 36 deletions.
diff --git a/warden/src/wsh/msg.c b/warden/src/wsh/msg.c
@@ -137,29 +137,19 @@ int msg_user_import(msg__user_t *u, const char *name) {
   return 0;
 }
 
-int msg_user_export(msg__user_t *u) {
-  struct passwd *pw;
-  int rv;
-
-  if (strlen(u->name) == 0) {
-    return 0;
-  }
+int msg_user_export(msg__user_t *u, struct passwd *pw) {
+  ((void) u);
 
-  pw = getpwnam(u->name);
-  if (pw == NULL) {
-    return -1;
-  }
+  int rv;
 
   rv = setgid(pw->pw_gid);
   if (rv == -1) {
-    perror("setgid");
-    abort();
+    return rv;
   }
 
   rv = setuid(pw->pw_uid);
   if (rv == -1) {
-    perror("setuid");
-    abort();
+    return rv;
   }
 
   return 0;

diff --git a/warden/src/wsh/msg.h b/warden/src/wsh/msg.h
@@ -7,6 +7,8 @@
 #include <sys/time.h>
 #include <sys/resource.h>
 
+#include "pwd.h"
+
 typedef struct msg__array_s msg__array_t;
 typedef struct msg__rlimit_s msg__rlimit_t;
 typedef struct msg__user_s msg__user_t;
@@ -49,7 +51,7 @@ int msg_rlimit_import(msg__rlimit_t *);
 int msg_rlimit_export(msg__rlimit_t *);
 
 int msg_user_import(msg__user_t *u, const char *name);
-int msg_user_export(msg__user_t *u);
+int msg_user_export(msg__user_t *u, struct passwd *pw);
 
 void msg_request_init(msg_request_t *req);
 void msg_response_init(msg_response_t *res);

diff --git a/warden/src/wsh/wshd.c b/warden/src/wsh/wshd.c
@@ -233,23 +233,10 @@ char **env__add(char **envp, const char *key, const char *value) {
   return envp;
 }
 
-char **child_setup_environment(msg_request_t *req) {
-  const char *user;
-  struct passwd *pw;
+char **child_setup_environment(struct passwd *pw) {
   int rv;
   char **envp = NULL;
 
-  user = req->user.name;
-  if (!strlen(user)) {
-    user = "root";
-  }
-
-  pw = getpwnam(user);
-  if (pw == NULL) {
-    perror("getpwnam");
-    return NULL;
-  }
-
   rv = chdir(pw->pw_dir);
   if (rv == -1) {
     perror("chdir");
@@ -278,6 +265,8 @@ int child_fork(msg_request_t *req, int in, int out, int err) {
   }
 
   if (rv == 0) {
+    const char *user;
+    struct passwd *pw;
     char *default_argv[] = { "/bin/sh", NULL };
     char *default_envp[] = { NULL };
     char **argv = default_argv;
@@ -295,6 +284,21 @@ int child_fork(msg_request_t *req, int in, int out, int err) {
     rv = setsid();
     assert(rv != -1);
 
+    user = req->user.name;
+    if (!strlen(user)) {
+      user = "root";
+    }
+
+    pw = getpwnam(user);
+    if (pw == NULL) {
+      perror("getpwnam");
+      goto error;
+    }
+
+    if (strlen(pw->pw_shell)) {
+      default_argv[0] = strdup(pw->pw_shell);
+    }
+
     /* Set controlling terminal if needed */
     if (isatty(in)) {
       rv = ioctl(STDIN_FILENO, TIOCSCTTY, 1);
@@ -307,25 +311,25 @@ int child_fork(msg_request_t *req, int in, int out, int err) {
       assert(argv != NULL);
     }
 
-    /* Use resource limits from request */
     rv = msg_rlimit_export(&req->rlim);
     if (rv == -1) {
       perror("msg_rlimit_export");
-      exit(255);
+      goto error;
     }
 
-    /* Set user from request */
-    rv = msg_user_export(&req->user);
+    rv = msg_user_export(&req->user, pw);
     if (rv == -1) {
       perror("msg_user_export");
-      exit(255);
+      goto error;
     }
 
-    envp = child_setup_environment(req);
+    envp = child_setup_environment(pw);
     assert(envp != NULL);
 
     execvpe(argv[0], argv, envp);
     perror("execvpe");
+
+error:
     exit(255);
   }