From 5dd27e11013a8f044f0637094e4f7edfe0959af9 Mon Sep 17 00:00:00 2001 From: Luka Vandervelden Date: Mon, 10 Jun 2019 14:32:30 +0200 Subject: [PATCH] Priviledges management. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - `service status` does not require priviledges anymore… if the `status` binary is owned by root and has the setuid and setguid flags. Hopefully, that binary only checks that a service’s process exists. --- src/config.cr.in | 1 + src/service.cr | 12 +++++++++++- src/status.cr | 3 +++ 3 files changed, 15 insertions(+), 1 deletion(-) diff --git a/src/config.cr.in b/src/config.cr.in index c815224..bc02c6a 100644 --- a/src/config.cr.in +++ b/src/config.cr.in @@ -5,4 +5,5 @@ RC_DIRECTORY = "@SYSCONFDIR@/rc/services" LOG_DIRECTORY = "@VARSTATEDIR@/log" SERVICES_DIRECTORY = "@SHAREDIR@/services" ENVIRONMENTS_DIRECTORY = "@SYSCONFDIR@/rc/environments" +OWN_LIBEXEC_DIR = "@LIBEXECDIR@/service" diff --git a/src/service.cr b/src/service.cr index 5b71e52..acf258e 100644 --- a/src/service.cr +++ b/src/service.cr @@ -95,7 +95,17 @@ begin end end elsif args[0] == "status" - puts Service.new(args[1], args[2]?).status PID_DIRECTORY + child = Process.run "#{OWN_LIBEXEC_DIR}/status", [args[1]], + output: Process::Redirect::Inherit, + error: Process::Redirect::Inherit + return_value = child.exit_status / 256 + + # Errors not registered here should probably be verbose in `status`. + if return_value == 1 + STDERR << "No such service.\n" + end + + exit return_value elsif args[0] == "show" service = Service.all.find do |service| unless service.name == args[1] diff --git a/src/status.cr b/src/status.cr index 5416ac7..01b0a21 100644 --- a/src/status.cr +++ b/src/status.cr @@ -7,6 +7,9 @@ ServiceDefinition.load SERVICES_DIRECTORY Environment.load ENVIRONMENTS_DIRECTORY Service.load RC_DIRECTORY +LibC.setuid 0 +LibC.setgid 0 + Service.get_by_id(ARGV[0]).try do |service| puts service.status PID_DIRECTORY exit 0