Projects/muscl
12
3
Fork 0
Code Issues 75 Pull Requests Actions 1 Packages Releases Activity

core: check suid/sgid dynamically instead of checking file
All checks were successful
Build and test / check (push) Successful in 1m41s
Details
Build and test / test (push) Successful in 3m5s
Details
Build and test / check-license (push) Successful in 5m56s
Details
Build and test / docs (push) Successful in 5m29s
Details
Build and test / build (push) Successful in 3m9s
Details

Browse Source
This commit is contained in:
Oystein Kristoffer Tveit
2025-12-04 20:29:44 +09:00
parent eeef8bd546
commit 222941509d
4 changed files with 17 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
nix/nixos-configurations/vm-suid.nix
View File

@@ -90,7 +90,7 @@ nixpkgs.lib.nixosSystem {
defaultEditor = true;
};
environment.systemPackages = with pkgs; [ jq ];
environment.systemPackages = with pkgs; [ jq pkgs.muscl ];
})
];
}

8
src/core/bootstrap.rs
View File

@@ -10,7 +10,7 @@ use tracing_subscriber::prelude::*;
use crate::{
core::common::{
DEFAULT_CONFIG_PATH, DEFAULT_SOCKET_PATH, UnixUser, executable_is_suid_or_sgid,
DEFAULT_CONFIG_PATH, DEFAULT_SOCKET_PATH, UnixUser, executing_in_suid_sgid_mode,
},
server::{
config::{MysqlConfig, ServerConfig},
@@ -81,7 +81,7 @@ pub fn bootstrap_server_connection_and_drop_privileges(
) -> anyhow::Result<StdUnixStream> {
if will_connect_to_external_server(server_socket_path.as_ref(), config.as_ref())? {
assert!(
!executable_is_suid_or_sgid()?,
!executing_in_suid_sgid_mode()?,
"The executable should not be SUID or SGID when connecting to an external server"
);
@@ -178,7 +178,7 @@ fn bootstrap_internal_server_and_drop_privs(
config_path: Option<PathBuf>,
) -> anyhow::Result<StdUnixStream> {
if let Some(config_path) = config_path {
if !executable_is_suid_or_sgid()? {
if !executing_in_suid_sgid_mode()? {
anyhow::bail!("Executable is not SUID/SGID - refusing to start internal sever");
}
@@ -195,7 +195,7 @@ fn bootstrap_internal_server_and_drop_privs(
let config_path = PathBuf::from(DEFAULT_CONFIG_PATH);
if fs::metadata(&config_path).is_ok() {
if !executable_is_suid_or_sgid()? {
if !executing_in_suid_sgid_mode()? {
anyhow::bail!("Executable is not SUID/SGID - refusing to start internal sever");
}
tracing::debug!("Starting server with default config at {:?}", config_path);

26
src/core/common.rs
View File

@@ -67,28 +67,20 @@ fn get_unix_groups(user: &LibcUser) -> anyhow::Result<Vec<LibcGroup>> {
Ok(groups)
}
/// Check if the current executable is SUID or SGID.
///
/// If the check fails, an error is returned.
/// Check if the current executable is running in SUID/SGID mode
#[cfg(feature = "suid-sgid-mode")]
pub fn executable_is_suid_or_sgid() -> anyhow::Result<bool> {
use std::{fs, os::unix::fs::PermissionsExt};
let result = std::env::current_exe()
.context("Failed to get current executable path")
.and_then(|executable| {
fs::metadata(executable).context("Failed to get executable metadata")
})
.context("Failed to check SUID/SGID bits on executable")
.map(|metadata| {
let mode = metadata.permissions().mode();
mode & 0o4000 != 0 || mode & 0o2000 != 0
})?;
Ok(result)
pub fn executing_in_suid_sgid_mode() -> anyhow::Result<bool> {
let euid = nix::unistd::geteuid();
let uid = nix::unistd::getuid();
let egid = nix::unistd::getegid();
let gid = nix::unistd::getgid();
Ok(euid != uid || egid != gid)
}
#[cfg(not(feature = "suid-sgid-mode"))]
#[inline]
pub fn executable_is_suid_or_sgid() -> anyhow::Result<bool> {
pub fn executing_in_suid_sgid_mode() -> anyhow::Result<bool> {
Ok(false)
}

6
src/main.rs
View File

@@ -16,7 +16,7 @@ use futures_util::StreamExt;
use crate::{
core::{
bootstrap::bootstrap_server_connection_and_drop_privileges,
common::{ASCII_BANNER, KIND_REGARDS, executable_is_suid_or_sgid},
common::{ASCII_BANNER, KIND_REGARDS, executing_in_suid_sgid_mode},
protocol::{Response, create_client_to_server_message_stream},
},
server::{command::ServerArgs, landlock::landlock_restrict_server},
@@ -151,7 +151,7 @@ fn main() -> anyhow::Result<()> {
fn handle_dynamic_completion() -> anyhow::Result<Option<()>> {
if std::env::var_os("COMPLETE").is_some() {
#[cfg(feature = "suid-sgid-mode")]
if executable_is_suid_or_sgid()? {
if executing_in_suid_sgid_mode()? {
use crate::core::bootstrap::drop_privs;
drop_privs()?
}
@@ -202,7 +202,7 @@ fn handle_server_command(args: &Args) -> anyhow::Result<Option<()>> {
match args.command {
Command::Server(ref command) => {
assert!(
!executable_is_suid_or_sgid()?,
!executing_in_suid_sgid_mode()?,
"The executable should not be SUID or SGID when running the server manually"
);