Check-in [273501fe4e]

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Run the fossil symlink
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA1: 273501fe4e447eeba049b27fbe7041ac2a546c2d
User & Date: rkeene 2020-08-25 15:40:24
References
2020-08-25
16:22
Revert [273501fe4e] check-in: f19a95b69c user: rkeene tags: trunk
Context
2020-08-25
15:40
Increase CPU time, address space, and RSS check-in: 5f6c3928e7 user: rkeene tags: trunk
15:40
Run the fossil symlink check-in: 273501fe4e user: rkeene tags: trunk
2020-08-24
21:03
Improve ACLs and logging on suid-fossil wrapper check-in: f4145e1a0c user: rkeene tags: trunk
Changes

Changes to scripts/fossil-as-user/suid-fossil.

141
142
143
144
145
146
147

148
149
150
151
152
153
154
...
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
	$work_dir = '/root';
	$home_dir = $work_dir . '/home';

	$work_dir_outside = $user_directory . $work_dir;
	$home_dir_outside = $user_directory . $home_dir;

	$fossil_binary = $work_dir . '/bin/' . basename($fossil_binary_real);

	$fossil_binary_outside = $user_directory . $fossil_binary;
	$fossil_binary_symlink = dirname($fossil_binary_outside) . "/fossil";

	$real_user_id = (1024 * 1024) + $userid;
	$current_user_id = posix_getuid();
}

................................................................................
		exec_log('setfacl   -m d:m::rwX -m d:u:' . $current_user_id . ':rwX ' . escapeshellarg($repo_directory));
		exec_log('setfacl -m   u:' . $real_user_id . ':rwx ' . escapeshellarg($home_dir_outside));
		exec_log('setfacl -m d:u:' . $real_user_id . ':rwx ' . escapeshellarg($home_dir_outside));
		exec_log('setfacl -m   u:' . $current_user_id . ':rwx ' . escapeshellarg($home_dir_outside));
		exec_log('setfacl -m d:u:' . $current_user_id . ':rwx ' . escapeshellarg($home_dir_outside));
	}

	$command = escapeshellarg(dirname(__FILE__) . "/secure-wrap") . " " . escapeshellarg($userid) . " " . escapeshellarg($user_directory) . " " . escapeshellarg($fossil_binary);

	putenv("USER={$username}");
	putenv("HOME={$home_dir}");
} else {
	$downgrade_required = false;
	if (isset($fossil_binary_outside) && file_exists($fossil_binary_outside)) {
		$downgrade_required = true;







>







 







|







141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
...
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
	$work_dir = '/root';
	$home_dir = $work_dir . '/home';

	$work_dir_outside = $user_directory . $work_dir;
	$home_dir_outside = $user_directory . $home_dir;

	$fossil_binary = $work_dir . '/bin/' . basename($fossil_binary_real);
	$fossil_binary_run = $work_dir . '/bin/fossil';
	$fossil_binary_outside = $user_directory . $fossil_binary;
	$fossil_binary_symlink = dirname($fossil_binary_outside) . "/fossil";

	$real_user_id = (1024 * 1024) + $userid;
	$current_user_id = posix_getuid();
}

................................................................................
		exec_log('setfacl   -m d:m::rwX -m d:u:' . $current_user_id . ':rwX ' . escapeshellarg($repo_directory));
		exec_log('setfacl -m   u:' . $real_user_id . ':rwx ' . escapeshellarg($home_dir_outside));
		exec_log('setfacl -m d:u:' . $real_user_id . ':rwx ' . escapeshellarg($home_dir_outside));
		exec_log('setfacl -m   u:' . $current_user_id . ':rwx ' . escapeshellarg($home_dir_outside));
		exec_log('setfacl -m d:u:' . $current_user_id . ':rwx ' . escapeshellarg($home_dir_outside));
	}

	$command = escapeshellarg(dirname(__FILE__) . "/secure-wrap") . " " . escapeshellarg($userid) . " " . escapeshellarg($user_directory) . " " . escapeshellarg($fossil_binary_run);

	putenv("USER={$username}");
	putenv("HOME={$home_dir}");
} else {
	$downgrade_required = false;
	if (isset($fossil_binary_outside) && file_exists($fossil_binary_outside)) {
		$downgrade_required = true;