Add support for impersonating secondary groups
This commit is contained in:
Thomas Stromberg
parent
54c2a7abf0
commit
3426a24929
|
|
@ -21,6 +21,7 @@ import (
|
||||||
"os"
|
"os"
|
||||||
"os/exec"
|
"os/exec"
|
||||||
"os/user"
|
"os/user"
|
||||||
|
"strconv"
|
||||||
"strings"
|
"strings"
|
||||||
"syscall"
|
"syscall"
|
||||||
|
|
||||||
|
|
@ -79,11 +80,10 @@ func (r *RunCommand) ExecuteCommand(config *v1.Config, buildArgs *dockerfile.Bui
|
||||||
|
|
||||||
// If specified, run the command as a specific user
|
// If specified, run the command as a specific user
|
||||||
if userStr != "" {
|
if userStr != "" {
|
||||||
uid, gid, err := util.GetUIDAndGIDFromString(userStr, true)
|
cmd.SysProcAttr.Credential, err = impersonate(userStr)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return errors.Wrap(err, "impersonate")
|
||||||
}
|
}
|
||||||
cmd.SysProcAttr.Credential = &syscall.Credential{Uid: uid, Gid: gid}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
env, err := addDefaultHOME(userStr, replacementEnvs)
|
env, err := addDefaultHOME(userStr, replacementEnvs)
|
||||||
|
|
@ -113,6 +113,38 @@ func (r *RunCommand) ExecuteCommand(config *v1.Config, buildArgs *dockerfile.Bui
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func impersonate(userStr string) (*syscall.Credential, error) {
|
||||||
|
uid, gid, err := util.GetUIDAndGIDFromString(userStr, true)
|
||||||
|
if err != nil {
|
||||||
|
return nil, errors.Wrap(err, "get uid/gid")
|
||||||
|
}
|
||||||
|
|
||||||
|
u, err := util.Lookup(userStr)
|
||||||
|
if err != nil {
|
||||||
|
return nil, errors.Wrap(err, "lookup")
|
||||||
|
}
|
||||||
|
logrus.Infof("user: %+v", u)
|
||||||
|
|
||||||
|
// Handle the case of secondary groups
|
||||||
|
groups := []uint32{41}
|
||||||
|
gidStr, err := u.GroupIds()
|
||||||
|
logrus.Infof("groupstr: %s", gidStr)
|
||||||
|
|
||||||
|
for _, g := range gidStr {
|
||||||
|
i, err := strconv.ParseUint(g, 10, 32)
|
||||||
|
if err != nil {
|
||||||
|
return nil, errors.Wrap(err, "parseuint")
|
||||||
|
}
|
||||||
|
groups = append(groups, uint32(i))
|
||||||
|
}
|
||||||
|
|
||||||
|
return &syscall.Credential{
|
||||||
|
Uid: uid,
|
||||||
|
Gid: gid,
|
||||||
|
Groups: groups,
|
||||||
|
}, nil
|
||||||
|
}
|
||||||
|
|
||||||
// addDefaultHOME adds the default value for HOME if it isn't already set
|
// addDefaultHOME adds the default value for HOME if it isn't already set
|
||||||
func addDefaultHOME(u string, envs []string) ([]string, error) {
|
func addDefaultHOME(u string, envs []string) ([]string, error) {
|
||||||
for _, env := range envs {
|
for _, env := range envs {
|
||||||
|
|
|
||||||
|
|
@ -1,3 +1,5 @@
|
||||||
module github.com/spf13/afero
|
module github.com/spf13/afero
|
||||||
|
|
||||||
|
go 1.14
|
||||||
|
|
||||||
require golang.org/x/text v0.3.0
|
require golang.org/x/text v0.3.0
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue