diff options
| author | Sean Whitton <spwhitton@spwhitton.name> | 2021-10-28 16:35:31 -0700 |
|---|---|---|
| committer | Sean Whitton <spwhitton@spwhitton.name> | 2021-10-28 16:59:56 -0700 |
| commit | d8f3404ba4cf1f9a7232cc7c068c9872ba0bd3de (patch) | |
| tree | 30451587e76899d289f71b75e65576cf1b6996ea /src/connection | |
| parent | fd338de27e1d80855e295790ee828043d3d41e32 (diff) | |
| download | consfigurator-d8f3404ba4cf1f9a7232cc7c068c9872ba0bd3de.tar.gz | |
:SETUID: avoid creating user's ~/.cache/consfigurator/ owned by root
This reverts and replaces commit b4eb20904aa8f4ea7ec0ef58eac7889b4b864277.
Signed-off-by: Sean Whitton <spwhitton@spwhitton.name>
Diffstat (limited to 'src/connection')
| -rw-r--r-- | src/connection/setuid.lisp | 14 |
1 files changed, 10 insertions, 4 deletions
diff --git a/src/connection/setuid.lisp b/src/connection/setuid.lisp index 59622dd..2036146 100644 --- a/src/connection/setuid.lisp +++ b/src/connection/setuid.lisp @@ -34,16 +34,23 @@ ;; argument to su(1) on, e.g., FreeBSD. So should be fairly ;; portable. (mrun "su" (cdr (assoc :name ent)) - "-c" "echo ${XDG_CACHE_HOME:-$HOME/.cache}"))))) + "-c" "echo ${XDG_CACHE_HOME:-$HOME/.cache}")))) + (cache (merge-pathnames "consfigurator/" xdg-cache-home)) + (datadir (merge-pathnames "data/" cache))) + (dolist (dir (list xdg-cache-home cache datadir)) + (unless (directory-exists-p dir) + (nix:chown (ensure-directories-exist dir) + (cdr (assoc :user-id ent)) (cdr (assoc :group-id ent))))) (continue-connection (make-instance 'setuid-connection - :datadir (merge-pathnames "consfigurator/data/" xdg-cache-home) + :datadir datadir :connattrs `(:remote-uid ,(cdr (assoc :user-id ent)) :remote-gid ,(cdr (assoc :group-id ent)) :remote-user ,(cdr (assoc :name ent)) :remote-home ,(ensure-directory-pathname (cdr (assoc :home ent))) + :consfigurator-cache ,cache :XDG_CACHE_HOME ,xdg-cache-home)) remaining))) @@ -53,8 +60,7 @@ (user (connection-connattr connection :remote-user))) (run-program (list "chown" "-R" (format nil "~A:~A" uid gid) - (unix-namestring (ensure-directories-exist - (slot-value connection 'datadir))))) + (unix-namestring (slot-value connection 'datadir)))) (posix-login-environment user (connection-connattr connection :remote-home)) ;; We are privileged, so this sets the real, effective and saved IDs. |