From b79cca53db832feb597a74e1ca6c8930b22950a7 Mon Sep 17 00:00:00 2001 From: Percy Wegmann Date: Mon, 29 Apr 2024 07:48:48 -0500 Subject: [PATCH] WIP Signed-off-by: Percy Wegmann --- ssh/tailssh/incubator.go | 56 +++++++++------------------------------- 1 file changed, 12 insertions(+), 44 deletions(-) diff --git a/ssh/tailssh/incubator.go b/ssh/tailssh/incubator.go index dcd80a3844fde..e0611a3b8a2b9 100644 --- a/ssh/tailssh/incubator.go +++ b/ssh/tailssh/incubator.go @@ -156,22 +156,6 @@ func (stdRWC) Close() error { } type incubatorArgs struct { -<<<<<<< HEAD - uid int - gid int - groups string - localUser string - remoteUser string - remoteIP string - ttyName string - hasTTY bool - cmdName string - isSFTP bool - isShell bool - loginCmdPath string - cmdArgs []string - debugTest bool -======= uid int gid int groups string @@ -184,11 +168,7 @@ type incubatorArgs struct { isSFTP bool isShell bool cmdArgs []string - env []string - stdin io.ReadCloser - stdout io.WriteCloser - stderr io.WriteCloser ->>>>>>> 1993c8fb0 (WIP) + debugTest bool } func parseIncubatorArgs(args []string) (a incubatorArgs) { @@ -204,11 +184,7 @@ func parseIncubatorArgs(args []string) (a incubatorArgs) { flags.StringVar(&a.cmdName, "cmd", "", "the cmd to launch (ignored in sftp mode)") flags.BoolVar(&a.isShell, "shell", false, "is launching a shell (with no cmds)") flags.BoolVar(&a.isSFTP, "sftp", false, "run sftp server (cmd is ignored)") -<<<<<<< HEAD - flags.StringVar(&a.loginCmdPath, "login-cmd", "", "the path to `login` cmd") flags.BoolVar(&a.debugTest, "debug-test", false, "should debug in test mode") -======= ->>>>>>> 1993c8fb0 (WIP) flags.Parse(args) a.cmdArgs = flags.Args() return a @@ -221,10 +197,6 @@ func parseIncubatorArgs(args []string) (a incubatorArgs) { // // Tailscaled launches the incubator as the same user as it was launched as. func beIncubator(args []string) error { - return doBeIncubator(args, os.Environ(), os.Stdin, os.Stdout, os.Stderr) -} - -func doBeIncubator(args []string, env []string, stdin io.ReadCloser, stdout, stderr io.WriteCloser) error { // To defend against issues like https://golang.org/issue/1435, // defensively lock our current goroutine's thread to the current // system thread before we start making any UID/GID/group changes. @@ -235,6 +207,11 @@ func doBeIncubator(args []string, env []string, stdin io.ReadCloser, stdout, std runtime.LockOSThread() defer runtime.UnlockOSThread() + ia := parseIncubatorArgs(args) + if ia.isSFTP && ia.isShell { + return fmt.Errorf("--sftp and --shell are mutually exclusive") + } + logf := logger.Discard if debugIncubator { // We don't own stdout or stderr, so the only place we can log is syslog. @@ -253,15 +230,6 @@ func doBeIncubator(args []string, env []string, stdin io.ReadCloser, stdout, std } } - ia := parseIncubatorArgs(args) - ia.env = env - ia.stdin = stdin - ia.stdout = stdout - ia.stderr = stderr - if ia.isSFTP && ia.isShell { - return fmt.Errorf("--sftp and --shell are mutually exclusive") - } - if ia.isSFTP { return handleFTP(logf) } @@ -357,7 +325,7 @@ func tryLoginCmd(logf logger.Logf, ia incubatorArgs) (bool, error) { loginArgs := ia.loginArgs(loginCmdPath) logf("logging in with %s %+v", loginCmdPath, loginArgs) // replace the running process - return true, unix.Exec(loginCmdPath, loginArgs, ia.env) + return true, unix.Exec(loginCmdPath, loginArgs, os.Environ()) } return false, nil @@ -427,7 +395,7 @@ func tryLoginWithSU(logf logger.Logf, ia incubatorArgs) (bool, error) { } logf("logging in with %s %+v", su, loginArgs) - return true, unix.Exec(su, loginArgs, ia.env) + return true, unix.Exec(su, loginArgs, os.Environ()) } // handleFTP serves FTP connections. @@ -465,10 +433,10 @@ func handleDropPrivileges(logf logger.Logf, ia incubatorArgs) error { logf("running %s %+v", ia.cmdName, ia.cmdArgs) cmd := exec.Command(ia.cmdName, ia.cmdArgs...) - cmd.Stdin = ia.stdin - cmd.Stdout = ia.stdout - cmd.Stderr = ia.stderr - cmd.Env = ia.env + cmd.Stdin = os.Stdin + cmd.Stdout = os.Stdout + cmd.Stderr = os.Stderr + cmd.Env = os.Environ() if ia.hasTTY { // If we were launched with a tty then we should