Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix sudo usage in cmd-* #3984

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions src/cmd-fetch
Original file line number Diff line number Diff line change
Expand Up @@ -8,12 +8,12 @@ dn=$(dirname "$0")
FILE=cache/pkgcache-repo
if [ -d "${FILE}" ]
then
pkgcachesize=$(sudo du --bytes --max-depth 0 "${FILE}" \
pkgcachesize=$(${SUDO} du --bytes --max-depth 0 "${FILE}" \
| awk '{print $1; exit}')
pkglimit=$((1024 * 1024 * 1024 * 5))
if [[ "${pkgcachesize}" -gt "${pkglimit}" ]]
then
sudo cosa prune --pkgcache
${SUDO} cosa prune --pkgcache
fi
fi

Expand Down
2 changes: 1 addition & 1 deletion src/cmd-init
Original file line number Diff line number Diff line change
Expand Up @@ -147,7 +147,7 @@ source=$1; shift
preflight

if has_privileges; then
sudo chown "$USER:" .
${SUDO} chown "$USER:" .
elif [ ! -w . ]; then
fatal "init: running unprivileged, and current directory not writable"
fi
Expand Down
33 changes: 27 additions & 6 deletions src/cmdlib.sh
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,27 @@ set -euo pipefail
DIR=$(dirname "$(realpath "${BASH_SOURCE[0]}")")
RFC3339="%Y-%m-%dT%H:%M:%SZ"

# Fix 'sudo' in case we're running as root
if [ "$(id -u)" != "0" ]; then
export SUDO=sudo
export SUDO_W_ENV=sudo -E
# always provide the sudo_w_env alias so python scripts can be sure it always exists
alias sudo_w_env='sudo -E'
else
export SUDO=
export SUDO_W_ENV=
fake-sudo() {
# pass thru the exit code implicitly
set -e
"$@"
}
export -f fake-sudo
# Spoof 'sudo' in the environment to go to our wrapper that does nothing instead, including a sudo_w_env that drops the -E options as well.
# Python code doesn't use the ${SUDO} or ${SUDO_W_ENV} variables, so this forces them to the right thing when hardcoding the subprocess commands.
alias sudo='fake-sudo'
alias sudo_w_env='fake-sudo'
fi

info() {
echo "info: $*" 1>&2
}
Expand Down Expand Up @@ -113,9 +134,9 @@ preflight_kvm() {
if ! has_privileges; then
fatal "running unprivileged, and /dev/kvm not writable"
else
sudo rm -f /dev/kvm
sudo mknod /dev/kvm c 10 232
sudo setfacl -m u:"$USER":rw /dev/kvm
${SUDO} rm -f /dev/kvm
${SUDO} mknod /dev/kvm c 10 232
${SUDO} setfacl -m u:"$USER":rw /dev/kvm
fi
fi
fi
Expand Down Expand Up @@ -567,10 +588,10 @@ runcompose_tree() {
set - "$@" --repo "${repo}" --write-composejson-to "${composejson}"
# we hardcode a umask of 0022 here to make sure that composes are run
# with a consistent value, regardless of the environment
(umask 0022 && sudo -E "$@")
sudo chown -R -h "${USER}":"${USER}" "${tmprepo}"
(umask 0022 && ${SUDO_W_ENV} -E "$@")
${SUDO} chown -R -h "${USER}":"${USER}" "${tmprepo}"
if [ -f "${composejson}" ]; then
sudo chown "${USER}":"${USER}" "${composejson}"
${SUDO} chown "${USER}":"${USER}" "${composejson}"
fi
else
runvm_with_cache -- "$@" --repo "${repo}" --write-composejson-to "${composejson}"
Expand Down
Loading