Skip to content

Commit

Permalink
Pass all user groups
Browse files Browse the repository at this point in the history 
Pass all the groups the user is a member of, and initialize the user to
be a member of them
  • Loading branch information
@JoshuaWatt
JoshuaWatt committed Dec 5, 2019
1 parent f70ab59 commit f961ee8
Show file tree
Hide file tree
Showing 2 changed files with 52 additions and 34 deletions.
76 changes: 43 additions & 33 deletions image/entry.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,39 +54,48 @@ def main():
)

uid = int(get_var("PYREX_UID"))
gid = int(get_var("PYREX_GID"))
user = get_var("PYREX_USER")
group = get_var("PYREX_GROUP")
groups = []
for s in get_var("PYREX_GROUPS").split():
gid, name = s.split(":")
groups.append((int(gid), name))

primarygid, primarygroup = groups[0]

home = get_var("PYREX_HOME")

check_file = "/var/run/pyrex-%d-%d" % (uid, gid)
check_file = "/var/run/pyrex-%d-%d" % (uid, primarygid)
if not os.path.exists(check_file):
with open(check_file, "w") as f:
f.write("%d %d %s %s" % (uid, gid, user, group))

# Create user and group
subprocess.check_call(
["groupadd", "--non-unique", "--gid", "%d" % gid, group],
stdout=subprocess.DEVNULL,
)

subprocess.check_call(
[
"useradd",
"--non-unique",
"--uid",
"%d" % uid,
"--gid",
"%d" % gid,
"--home",
home,
"--no-create-home",
"--shell",
"/bin/sh",
user,
],
stdout=subprocess.DEVNULL,
)
f.write("%d %d %s %s\n" % (uid, primarygid, user, primarygroup))

# Create user and groups
for (gid, group) in groups:
if gid == 0:
continue
subprocess.check_call(
["groupadd", "--gid", "%d" % gid, group], stdout=f
)

subprocess.check_call(
[
"useradd",
"--non-unique",
"--uid",
"%d" % uid,
"--gid",
"%d" % primarygid,
"--groups",
",".join(str(g[0]) for g in groups),
"--home",
home,
"--no-create-home",
"--shell",
"/bin/sh",
user,
],
stdout=f,
)

try:
os.makedirs(home, 0o755)
Expand All @@ -100,15 +109,15 @@ def main():
home_stat = os.stat(home)

if home_stat.st_dev == root_stat.st_dev:
os.chown(home, uid, gid)
os.chown(home, uid, primarygid)

try:
screenrc = os.path.join(home, ".screenrc")

with open(screenrc, "x") as f:
f.write("defbce on\n")

os.chown(screenrc, uid, gid)
os.chown(screenrc, uid, primarygid)
except FileExistsError:
pass

Expand All @@ -118,7 +127,7 @@ def main():

# Setup environment
os.environ["USER"] = user
os.environ["GROUP"] = group
os.environ["GROUP"] = primarygroup
os.environ["HOME"] = home

# If a tty is attached, change it over to be owned by the new user. This is
Expand All @@ -144,11 +153,12 @@ def main():
"setpriv",
"setpriv",
"--inh-caps=-all", # Drop all root capabilities
"--clear-groups",
"--reuid",
"%d" % uid,
"--regid",
"%d" % gid,
"%d" % primarygid,
"--groups",
",".join(str(g[0]) for g in groups),
*sys.argv[1:]
)

Expand Down
10 changes: 9 additions & 1 deletion pyrex.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -370,6 +370,14 @@ def prep_container(
username = pwd.getpwuid(uid).pw_name
groupname = grp.getgrgid(gid).gr_name

groups = ["%d:%s" % (gid, groupname)]

for group in grp.getgrall():
if group.gr_name == groupname:
continue
if username in group.gr_mem:
groups.append("%d:%s" % (group.gr_gid, group.gr_name))

# These are "hidden" keys in pyrex.ini that aren't publicized, and
# are primarily used for testing. Use they at your own risk, they
# may change
Expand All @@ -392,7 +400,7 @@ def prep_container(
"-e",
"PYREX_UID=%d" % uid,
"-e",
"PYREX_GROUP=%s" % groupname,
"PYREX_GROUPS=%s" % " ".join(groups),
"-e",
"PYREX_GID=%d" % gid,
"-e",
Expand Down

0 comments on commit f961ee8

Please sign in to comment.