From 0945da8dfefcbb723eecea0e5f4eafff63398253 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Paul=20B=C3=BCtow?= Date: Sun, 26 Jan 2020 11:26:53 +0000 Subject: Introduce drun command, refactor code to use context package --- internal/user/name.go | 15 +++++++++++---- internal/user/server/user.go | 44 +++++++++++++++++++++++++++++--------------- 2 files changed, 40 insertions(+), 19 deletions(-) (limited to 'internal/user') diff --git a/internal/user/name.go b/internal/user/name.go index 5171ec7..28ab0a4 100644 --- a/internal/user/name.go +++ b/internal/user/name.go @@ -2,10 +2,10 @@ package user import ( "os/user" - ) +) - -func Name() string { +// NoRootCheck verifies that the DTail run user is not with UID or GID 0. +func NoRootCheck() { user, err := user.Current() if err != nil { panic(err) @@ -18,7 +18,14 @@ func Name() string { if user.Gid == "0" { panic("Not allowed to run as GID 0") } +} + +// Name of the current run user. +func Name() string { + user, err := user.Current() + if err != nil { + panic(err) + } return user.Username } - diff --git a/internal/user/server/user.go b/internal/user/server/user.go index fad38d8..271a4ac 100644 --- a/internal/user/server/user.go +++ b/internal/user/server/user.go @@ -1,14 +1,15 @@ package server import ( - "github.com/mimecast/dtail/internal/config" - "github.com/mimecast/dtail/internal/fs/permissions" - "github.com/mimecast/dtail/internal/logger" "fmt" "os" "path/filepath" "regexp" "strings" + + "github.com/mimecast/dtail/internal/config" + "github.com/mimecast/dtail/internal/io/fs/permissions" + "github.com/mimecast/dtail/internal/io/logger" ) const maxLinkDepth int = 100 @@ -37,26 +38,28 @@ func (u *User) String() string { } // HasFilePermission is used to determine whether user is alowed to read a file. -func (u *User) HasFilePermission(filePath string) (hasPermission bool) { +func (u *User) HasFilePermission(filePath, permissionType string) (hasPermission bool) { + logger.Debug(u, filePath, permissionType, "Checking config permissions") + cleanPath, err := filepath.EvalSymlinks(filePath) if err != nil { - logger.Error(u, filePath, "Unable to evaluate symlinks", err) + logger.Error(u, filePath, permissionType, "Unable to evaluate symlinks", err) hasPermission = false return } cleanPath, err = filepath.Abs(cleanPath) if err != nil { - logger.Error(u, cleanPath, "Unable to make file path absolute", err) + logger.Error(u, cleanPath, permissionType, "Unable to make file path absolute", err) hasPermission = false return } if cleanPath != filePath { - logger.Info(u, filePath, cleanPath, "Calculated new clean path from original file path (possibly symlink)") + logger.Info(u, filePath, cleanPath, permissionType, "Calculated new clean path from original file path (possibly symlink)") } - hasPermission, err = u.hasFilePermission(cleanPath) + hasPermission, err = u.hasFilePermission(cleanPath, permissionType) if err != nil { logger.Warn(u, cleanPath, err) } @@ -64,12 +67,12 @@ func (u *User) HasFilePermission(filePath string) (hasPermission bool) { return } -func (u *User) hasFilePermission(cleanPath string) (bool, error) { +func (u *User) hasFilePermission(cleanPath, permissionType string) (bool, error) { // First check file system Linux/UNIX permission. if _, err := permissions.ToRead(u.Name, cleanPath); err != nil { - return false, fmt.Errorf("User without OS file system permissions to read file: '%v'", err) + return false, fmt.Errorf("User without OS file system permissions to read path: '%v'", err) } - logger.Info(u, cleanPath, "User has OS file system permissions to read file") + logger.Info(u, cleanPath, permissionType, "User with OS file system permissions to path") // If file system permission is given, also check permissions // as configured in DTail config file. @@ -84,7 +87,7 @@ func (u *User) hasFilePermission(cleanPath string) (bool, error) { var hasPermission bool var err error - if hasPermission, err = u.iteratePaths(cleanPath); err != nil { + if hasPermission, err = u.iteratePaths(cleanPath, permissionType); err != nil { return false, err } @@ -101,17 +104,28 @@ func (u *User) hasFilePermission(cleanPath string) (bool, error) { return hasPermission, nil } -func (u *User) iteratePaths(cleanPath string) (bool, error) { +func (u *User) iteratePaths(cleanPath, permissionType string) (bool, error) { for _, permission := range u.permissions { + typeStr := "readfiles" // Assume ReadFiles by default. + var regexStr string var negate bool + splitted := strings.Split(permission, ":") + if len(splitted) > 1 { + typeStr = splitted[0] + permission = strings.Join(splitted[1:], ":") + } + + if typeStr != permissionType { + continue + } + + regexStr = permission if strings.HasPrefix(permission, "!") { regexStr = permission[1:] negate = true } - regexStr = permission - negate = false re, err := regexp.Compile(regexStr) if err != nil { -- cgit v1.2.3