// ALR - Any Linux Repository // Copyright (C) 2025 Евгений Храмов // // This program is free software: you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by // the Free Software Foundation, either version 3 of the License, or // (at your option) any later version. // // This program is distributed in the hope that it will be useful, // but WITHOUT ANY WARRANTY; without even the implied warranty of // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the // GNU General Public License for more details. // // You should have received a copy of the GNU General Public License // along with this program. If not, see . package utils import ( "errors" "os" "os/user" "strconv" "syscall" "github.com/leonelquinteros/gotext" "github.com/urfave/cli/v2" "gitea.plemya-x.ru/Plemya-x/ALR/internal/cliutils" "gitea.plemya-x.ru/Plemya-x/ALR/internal/constants" ) func GetUidGidAlrUserString() (string, string, error) { u, err := user.Lookup("alr") if err != nil { return "", "", err } return u.Uid, u.Gid, nil } func GetUidGidAlrUser() (int, int, error) { strUid, strGid, err := GetUidGidAlrUserString() if err != nil { return 0, 0, err } uid, err := strconv.Atoi(strUid) if err != nil { return 0, 0, err } gid, err := strconv.Atoi(strGid) if err != nil { return 0, 0, err } return uid, gid, nil } func DropCapsToAlrUser() error { uid, gid, err := GetUidGidAlrUser() if err != nil { return err } err = syscall.Setgid(gid) if err != nil { return err } err = syscall.Setuid(uid) if err != nil { return err } return EnsureIsAlrUser() } func ExitIfCantDropGidToAlr() cli.ExitCoder { _, gid, err := GetUidGidAlrUser() if err != nil { return cliutils.FormatCliExit("cannot get gid alr", err) } err = syscall.Setgid(gid) if err != nil { return cliutils.FormatCliExit("cannot get setgid alr", err) } return nil } // ExitIfCantDropCapsToAlrUser attempts to drop capabilities to the already // running user. Returns a cli.ExitCoder with an error if the operation fails. // See also [ExitIfCantDropCapsToAlrUserNoPrivs] for a version that also applies // no-new-privs. func ExitIfCantDropCapsToAlrUser() cli.ExitCoder { err := DropCapsToAlrUser() if err != nil { return cliutils.FormatCliExit(gotext.Get("Error on dropping capabilities"), err) } return nil } func ExitIfCantSetNoNewPrivs() cli.ExitCoder { if err := NoNewPrivs(); err != nil { return cliutils.FormatCliExit("error on NoNewPrivs", err) } return nil } // ExitIfCantDropCapsToAlrUserNoPrivs combines [ExitIfCantDropCapsToAlrUser] with [ExitIfCantSetNoNewPrivs] func ExitIfCantDropCapsToAlrUserNoPrivs() cli.ExitCoder { if err := ExitIfCantDropCapsToAlrUser(); err != nil { return err } if err := ExitIfCantSetNoNewPrivs(); err != nil { return err } return nil } func ExitIfNotRoot() error { if os.Getuid() != 0 { return cli.Exit(gotext.Get("You need to be root to perform this action"), 1) } return nil } func EnsureIsAlrUser() error { uid, gid, err := GetUidGidAlrUser() if err != nil { return err } newUid := syscall.Getuid() if newUid != uid { return errors.New("new uid don't matches requested") } newGid := syscall.Getgid() if newGid != gid { return errors.New("new gid don't matches requested") } return nil } func EnuseIsPrivilegedGroupMember() error { currentUser, err := user.Current() if err != nil { return err } group, err := user.LookupGroup(constants.PrivilegedGroup) if err != nil { return err } groups, err := currentUser.GroupIds() if err != nil { return err } for _, gid := range groups { if gid == group.Gid { return nil } } return cliutils.FormatCliExit(gotext.Get("You need to be a %s member to perform this action", constants.PrivilegedGroup), nil) } func EscalateToRootGid() error { return syscall.Setgid(0) } func EscalateToRootUid() error { return syscall.Setuid(0) } func EscalateToRoot() error { err := EscalateToRootUid() if err != nil { return err } err = EscalateToRootGid() if err != nil { return err } return nil }