Commit 442e8042 authored by Natanael Copa's avatar Natanael Copa

abuild-sudo: new tool

mini sudo that checks if user is in "abuild" group and allows it to
run apk, adduser adn addgroup as root

ref #951
parent 52d6af77
...@@ -3,6 +3,7 @@ PACKAGE := abuild ...@@ -3,6 +3,7 @@ PACKAGE := abuild
VERSION := 2.11.2 VERSION := 2.11.2
prefix ?= /usr prefix ?= /usr
bindir ?= $(prefix)/bin
sysconfdir ?= /etc sysconfdir ?= /etc
datadir ?= $(prefix)/share/$(PACKAGE) datadir ?= $(prefix)/share/$(PACKAGE)
abuildrepo ?= ~/.cache/abuild abuildrepo ?= ~/.cache/abuild
...@@ -12,7 +13,7 @@ LUA_SHAREDIR ?= $(prefix)/share/lua/$(LUA_VERSION)/ ...@@ -12,7 +13,7 @@ LUA_SHAREDIR ?= $(prefix)/share/lua/$(LUA_VERSION)/
SCRIPTS := abuild buildrepo abuild-keygen abuild-sign newapkbuild \ SCRIPTS := abuild buildrepo abuild-keygen abuild-sign newapkbuild \
abump apkgrel ap buildlab apkbuild-cpan abump apkgrel ap buildlab apkbuild-cpan
USR_BIN_FILES := $(SCRIPTS) abuild-tar USR_BIN_FILES := $(SCRIPTS) abuild-tar abuild-sudo
SAMPLES := sample.APKBUILD sample.initd sample.confd \ SAMPLES := sample.APKBUILD sample.initd sample.confd \
sample.pre-install sample.post-install sample.pre-install sample.post-install
...@@ -31,6 +32,7 @@ endif ...@@ -31,6 +32,7 @@ endif
CHMOD := chmod CHMOD := chmod
SED := sed SED := sed
TAR := tar TAR := tar
LINK = $(CC) $(OBJS-$@) -o $@ $(LDFLAGS) $(LDFLAGS-$@) $(LIBS-$@)
SED_REPLACE := -e 's:@VERSION@:$(FULL_VERSION):g' \ SED_REPLACE := -e 's:@VERSION@:$(FULL_VERSION):g' \
-e 's:@prefix@:$(prefix):g' \ -e 's:@prefix@:$(prefix):g' \
...@@ -38,15 +40,23 @@ SED_REPLACE := -e 's:@VERSION@:$(FULL_VERSION):g' \ ...@@ -38,15 +40,23 @@ SED_REPLACE := -e 's:@VERSION@:$(FULL_VERSION):g' \
-e 's:@datadir@:$(datadir):g' \ -e 's:@datadir@:$(datadir):g' \
-e 's:@abuildrepo@:$(abuildrepo):g' -e 's:@abuildrepo@:$(abuildrepo):g'
SSL_CFLAGS := $(shell pkg-config --cflags openssl) SSL_CFLAGS = $(shell pkg-config --cflags openssl)
SSL_LIBS := $(shell pkg-config --libs openssl) SSL_LIBS = $(shell pkg-config --libs openssl)
LDFLAGS ?=
OBJS-abuild-tar = abuild-tar.o
LIBS-abuild-tar = $(SSL_LIBS)
CFLAGS-abuild-tar = $(SSL_CFLAGS)
OBJS-abuild-sudo = abuild-sudo.o
.SUFFIXES: .sh.in .in .SUFFIXES: .sh.in .in
.sh.in.sh: %.sh: %.sh.in
${SED} ${SED_REPLACE} ${SED_EXTRA} $< > $@ ${SED} ${SED_REPLACE} ${SED_EXTRA} $< > $@
${CHMOD} +x $@ ${CHMOD} +x $@
.in: %: %.in
${SED} ${SED_REPLACE} ${SED_EXTRA} $< > $@ ${SED} ${SED_REPLACE} ${SED_EXTRA} $< > $@
${CHMOD} +x $@ ${CHMOD} +x $@
...@@ -57,11 +67,17 @@ all: $(USR_BIN_FILES) ...@@ -57,11 +67,17 @@ all: $(USR_BIN_FILES)
clean: clean:
@rm -f $(USR_BIN_FILES) @rm -f $(USR_BIN_FILES)
abuild-tar: abuild-tar.c %.o: %.c
$(CC) -o $@ $^ -Wl,--as-needed $(SSL_LIBS) $(CC) $(CFLAGS) $(CFLAGS-$@) -o $@ -c $<
abuild-tar.static: abuild-tar.c abuild-sudo: abuild-sudo.o
$(CC) -o $@ -static $(SSL_LIBS) $^ $(LINK)
abuild-tar: abuild-tar.o
$(LINK)
abuild-tar.static: abuild-tar.o
$(CC) $(CFLAGS) $(CFLAGS-$@) -o $@ -static $(LIBS-$@) $^
help: help:
@echo "$(P) makefile" @echo "$(P) makefile"
...@@ -69,10 +85,14 @@ help: ...@@ -69,10 +85,14 @@ help:
@echo " make dist" @echo " make dist"
install: $(USR_BIN_FILES) $(SAMPLES) abuild.conf functions.sh aports.lua install: $(USR_BIN_FILES) $(SAMPLES) abuild.conf functions.sh aports.lua
mkdir -p $(DESTDIR)/$(prefix)/bin $(DESTDIR)/$(sysconfdir) \ install -d $(DESTDIR)/$(bindir) $(DESTDIR)/$(sysconfdir) \
$(DESTDIR)/$(datadir) $(DESTDIR)/$(datadir)
for i in $(USR_BIN_FILES); do\ for i in $(USR_BIN_FILES); do\
install -m 755 $$i $(DESTDIR)/$(prefix)/bin/$$i;\ install -m 755 $$i $(DESTDIR)/$(bindir)/$$i;\
done
chmod 4111 $(DESTDIR)/$(prefix)/bin/abuild-sudo
for i in adduser addgroup apk; do \
ln -fs abuild-sudo $(DESTDIR)/$(bindir)/abuild-$$i; \
done done
if [ -n "$(DESTDIR)" ] || [ ! -f "/$(sysconfdir)"/abuild.conf ]; then\ if [ -n "$(DESTDIR)" ] || [ ! -f "/$(sysconfdir)"/abuild.conf ]; then\
cp abuild.conf $(DESTDIR)/$(sysconfdir)/; \ cp abuild.conf $(DESTDIR)/$(sysconfdir)/; \
......
#include <sys/types.h>
#include <err.h>
#include <grp.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#ifndef ABUILD_GROUP
#define ABUILD_GROUP "abuild"
#endif
static const char* valid_cmds[] = {
"/bin/adduser",
"/bin/addgroup",
"/sbin/apk",
NULL
};
const char *get_command_path(const char *cmd)
{
const char *p;
int i;
for (i = 0; valid_cmds[i] != NULL; i++) {
p = strrchr(valid_cmds[i], '/') + 1;
if (strcmp(p, cmd) == 0)
return valid_cmds[i];
}
return NULL;
}
int is_in_group(gid_t group)
{
int ngroups_max = sysconf(_SC_NGROUPS_MAX) + 1;
gid_t *buf = malloc(ngroups_max * sizeof(gid_t));
int ngroups, ret = 0;
int i;
if (buf == NULL) {
perror("malloc");
return 0;
}
ngroups = getgroups(ngroups_max, buf);
for (i = 0; i < ngroups; i++) {
if (buf[i] == group)
break;
}
free(buf);
return i < ngroups;
}
int main(int argc, const char *argv[])
{
struct group *grent;
const char *cmd;
const char *path;
grent = getgrnam(ABUILD_GROUP);
if (grent == NULL)
errx(1, "%s: Group not found", ABUILD_GROUP);
if (!is_in_group(grent->gr_gid))
errx(1, "Not a member of group %s\n", ABUILD_GROUP);
cmd = strrchr(argv[0], '-');
if (cmd == NULL)
errx(1, "Calling command has no '-'");
cmd++;
path = get_command_path(cmd);
if (path == NULL)
errx(1, "%s: Not a valid subcommand", cmd);
argv[0] = path;
/* set our uid to root soo bbsuid --install works */
setuid(0);
execv(path, (char * const*)argv);
return 1;
}
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment