From 442e804291b54a2ff4a8b9fcbec20be4c759289c Mon Sep 17 00:00:00 2001
From: Natanael Copa <ncopa@alpinelinux.org>
Date: Fri, 17 Feb 2012 13:28:22 +0000
Subject: [PATCH] abuild-sudo: new tool

mini sudo that checks if user is in "abuild" group and allows it to
run apk, adduser adn addgroup as root

ref #951
---
 Makefile      | 42 +++++++++++++++++++-------
 abuild-sudo.c | 81 +++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 112 insertions(+), 11 deletions(-)
 create mode 100644 abuild-sudo.c

diff --git a/Makefile b/Makefile
index 4c48bb44bc9e..e6347a28c1d6 100644
--- a/Makefile
+++ b/Makefile
@@ -3,6 +3,7 @@ PACKAGE		:= abuild
 VERSION		:= 2.11.2
 
 prefix		?= /usr
+bindir		?= $(prefix)/bin
 sysconfdir	?= /etc
 datadir		?= $(prefix)/share/$(PACKAGE)
 abuildrepo	?= ~/.cache/abuild
@@ -12,7 +13,7 @@ LUA_SHAREDIR	?= $(prefix)/share/lua/$(LUA_VERSION)/
 
 SCRIPTS		:= abuild buildrepo abuild-keygen abuild-sign newapkbuild \
 		   abump apkgrel ap buildlab apkbuild-cpan
-USR_BIN_FILES	:= $(SCRIPTS) abuild-tar
+USR_BIN_FILES	:= $(SCRIPTS) abuild-tar abuild-sudo
 SAMPLES		:= sample.APKBUILD sample.initd sample.confd \
 		sample.pre-install sample.post-install
 
@@ -31,6 +32,7 @@ endif
 CHMOD		:= chmod
 SED		:= sed
 TAR		:= tar
+LINK		= $(CC) $(OBJS-$@) -o $@ $(LDFLAGS) $(LDFLAGS-$@) $(LIBS-$@)
 
 SED_REPLACE	:= -e 's:@VERSION@:$(FULL_VERSION):g' \
 			-e 's:@prefix@:$(prefix):g' \
@@ -38,15 +40,23 @@ SED_REPLACE	:= -e 's:@VERSION@:$(FULL_VERSION):g' \
 			-e 's:@datadir@:$(datadir):g' \
 			-e 's:@abuildrepo@:$(abuildrepo):g'
 
-SSL_CFLAGS	:= $(shell pkg-config --cflags openssl)
-SSL_LIBS	:= $(shell pkg-config --libs openssl)
+SSL_CFLAGS	= $(shell pkg-config --cflags openssl)
+SSL_LIBS	= $(shell pkg-config --libs openssl)
+
+LDFLAGS ?= 
+
+OBJS-abuild-tar  = abuild-tar.o
+LIBS-abuild-tar = $(SSL_LIBS)
+CFLAGS-abuild-tar = $(SSL_CFLAGS)
+
+OBJS-abuild-sudo = abuild-sudo.o
 
 .SUFFIXES:	.sh.in .in
-.sh.in.sh:
+%.sh: %.sh.in
 	${SED} ${SED_REPLACE} ${SED_EXTRA} $< > $@
 	${CHMOD} +x $@
 
-.in:
+%: %.in
 	${SED} ${SED_REPLACE} ${SED_EXTRA} $< > $@
 	${CHMOD} +x $@
 
@@ -57,11 +67,17 @@ all: 	$(USR_BIN_FILES)
 clean:
 	@rm -f $(USR_BIN_FILES)
 
-abuild-tar:	abuild-tar.c
-	$(CC) -o $@ $^ -Wl,--as-needed $(SSL_LIBS)
+%.o: %.c
+	$(CC) $(CFLAGS) $(CFLAGS-$@) -o $@ -c $<
 
-abuild-tar.static: abuild-tar.c
-	$(CC) -o $@ -static $(SSL_LIBS) $^
+abuild-sudo: abuild-sudo.o
+	$(LINK)
+
+abuild-tar: abuild-tar.o
+	$(LINK)
+
+abuild-tar.static: abuild-tar.o
+	$(CC) $(CFLAGS) $(CFLAGS-$@) -o $@ -static $(LIBS-$@) $^
 
 help:
 	@echo "$(P) makefile"
@@ -69,10 +85,14 @@ help:
 	@echo "       make dist"
 
 install: $(USR_BIN_FILES) $(SAMPLES) abuild.conf functions.sh aports.lua
-	mkdir -p $(DESTDIR)/$(prefix)/bin $(DESTDIR)/$(sysconfdir) \
+	install -d $(DESTDIR)/$(bindir) $(DESTDIR)/$(sysconfdir) \
 		$(DESTDIR)/$(datadir)
 	for i in $(USR_BIN_FILES); do\
-		install -m 755 $$i $(DESTDIR)/$(prefix)/bin/$$i;\
+		install -m 755 $$i $(DESTDIR)/$(bindir)/$$i;\
+	done
+	chmod 4111 $(DESTDIR)/$(prefix)/bin/abuild-sudo
+	for i in adduser addgroup apk; do \
+		ln -fs abuild-sudo $(DESTDIR)/$(bindir)/abuild-$$i; \
 	done
 	if [ -n "$(DESTDIR)" ] || [ ! -f "/$(sysconfdir)"/abuild.conf ]; then\
 		cp abuild.conf $(DESTDIR)/$(sysconfdir)/; \
diff --git a/abuild-sudo.c b/abuild-sudo.c
new file mode 100644
index 000000000000..8c61ad0ffe93
--- /dev/null
+++ b/abuild-sudo.c
@@ -0,0 +1,81 @@
+
+#include <sys/types.h>
+
+#include <err.h>
+#include <grp.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#ifndef ABUILD_GROUP
+#define ABUILD_GROUP "abuild"
+#endif
+
+static const char* valid_cmds[] = {
+	"/bin/adduser",
+	"/bin/addgroup",
+	"/sbin/apk",
+	NULL
+};
+
+const char *get_command_path(const char *cmd)
+{
+	const char *p;
+	int i;
+	for (i = 0; valid_cmds[i] != NULL; i++) {
+		p = strrchr(valid_cmds[i], '/') + 1;
+		if (strcmp(p, cmd) == 0)
+			return valid_cmds[i];
+	}
+	return NULL;
+}
+
+int is_in_group(gid_t group)
+{
+	int ngroups_max = sysconf(_SC_NGROUPS_MAX) + 1;
+	gid_t *buf = malloc(ngroups_max * sizeof(gid_t));
+	int ngroups, ret = 0;
+	int i;
+	if (buf == NULL) {
+		perror("malloc");
+		return 0;
+	}
+	ngroups = getgroups(ngroups_max, buf);
+	for (i = 0; i < ngroups; i++) {
+		if (buf[i] == group)
+			break;
+	}
+	free(buf);
+	return i < ngroups;
+}
+	
+
+int main(int argc, const char *argv[])
+{
+	struct group *grent;
+	const char *cmd;
+	const char *path;
+
+	grent = getgrnam(ABUILD_GROUP);
+	if (grent == NULL)
+		errx(1, "%s: Group not found", ABUILD_GROUP);
+
+	if (!is_in_group(grent->gr_gid))
+		errx(1, "Not a member of group %s\n", ABUILD_GROUP);
+
+	cmd = strrchr(argv[0], '-');
+	if (cmd == NULL) 
+		errx(1, "Calling command has no '-'");
+	cmd++;
+
+	path = get_command_path(cmd);
+	if (path == NULL)
+		errx(1, "%s: Not a valid subcommand", cmd);
+
+	argv[0] = path;
+	/* set our uid to root soo bbsuid --install works */
+	setuid(0);
+	execv(path, (char * const*)argv);
+	return 1;
+}
-- 
GitLab