Enhance permission handling in package installation and removal commands; add user management functions for improved security. Now for every time packets will execute lua scripts, it will change process euid to an unprivileged user; Now lua scripts can execute more lua default functions
This commit is contained in:
53
pkg/main.go
53
pkg/main.go
@@ -6,6 +6,7 @@ import (
|
||||
"io"
|
||||
"os"
|
||||
"packets/internal/utils"
|
||||
"runtime"
|
||||
|
||||
utils_lua "packets/internal/utils/lua"
|
||||
"path/filepath"
|
||||
@@ -31,6 +32,11 @@ func InstallPackage(file []byte, destDir string) error {
|
||||
|
||||
tarReader := tar.NewReader(zstdReader)
|
||||
|
||||
uid, err := utils.GetPacketsUID()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
for {
|
||||
hdr, err := tarReader.Next()
|
||||
if err == io.EOF {
|
||||
@@ -46,7 +52,11 @@ func InstallPackage(file []byte, destDir string) error {
|
||||
continue
|
||||
}
|
||||
|
||||
if err := os.MkdirAll(destDir, 0755); err != nil {
|
||||
if err := os.MkdirAll(destDir, 0775); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if err := os.Chown(destDir, uid, 0); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
@@ -56,13 +66,16 @@ func InstallPackage(file []byte, destDir string) error {
|
||||
|
||||
case tar.TypeDir:
|
||||
err = os.MkdirAll(absPath, os.FileMode(hdr.Mode))
|
||||
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if err := os.Chown(absPath, uid, 0); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
case tar.TypeReg:
|
||||
err = os.MkdirAll(filepath.Dir(absPath), 0755)
|
||||
|
||||
err = os.MkdirAll(filepath.Dir(absPath), 0775)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
@@ -78,10 +91,21 @@ func InstallPackage(file []byte, destDir string) error {
|
||||
return err
|
||||
}
|
||||
|
||||
err = os.Chmod(absPath, os.FileMode(hdr.Mode))
|
||||
err = os.Chmod(absPath, os.FileMode(0775))
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if filepath.Base(hdr.Name) == "manifest.toml" || filepath.Base(hdr.Name) == manifest.Hooks.Install || filepath.Base(hdr.Name) == manifest.Hooks.Remove {
|
||||
err = os.Chmod(absPath, os.FileMode(0755))
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
} else {
|
||||
if err := os.Chown(absPath, uid, 0); err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -92,10 +116,20 @@ func InstallPackage(file []byte, destDir string) error {
|
||||
L.SetGlobal("data_dir", lua.LString(filepath.Join(destDir, "data")))
|
||||
L.SetGlobal("script", lua.LString(manifest.Hooks.Install))
|
||||
|
||||
runtime.LockOSThread()
|
||||
defer runtime.UnlockOSThread()
|
||||
|
||||
if err := utils.ChangeToNoPermission(); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := L.DoFile(filepath.Join(destDir, manifest.Hooks.Install)); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if err := utils.ElevatePermission(); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
@@ -111,9 +145,20 @@ func ExecuteRemoveScript(path string) error {
|
||||
L.SetGlobal("script", lua.LString(path))
|
||||
L.SetGlobal("build", lua.LNil)
|
||||
|
||||
runtime.LockOSThread()
|
||||
defer runtime.UnlockOSThread()
|
||||
|
||||
if err := utils.ChangeToNoPermission(); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if err := L.DoFile(path); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if err := utils.ElevatePermission(); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user