From: Marius Gavrilescu Date: Tue, 3 Feb 2015 13:40:37 +0000 (+0200) Subject: Only run "untrusted" programs under sudo X-Git-Tag: 5999.000_005~63 X-Git-Url: http://git.ieval.ro/?a=commitdiff_plain;h=1e5f2b8b348c178a0656f9515917223c49d010d3;p=gruntmaster-daemon.git Only run "untrusted" programs under sudo --- diff --git a/gruntmaster-exec b/gruntmaster-exec index c824b20..25a44d1 100755 --- a/gruntmaster-exec +++ b/gruntmaster-exec @@ -45,7 +45,7 @@ GetOptions( my $killuser = $ENV{GRUNTMASTER_KILL_USER}; my @sudo; -@sudo = (shellwords ($ENV{GRUNTMASTER_SUDO}), '--') if $ENV{GRUNTMASTER_SUDO}; +@sudo = (shellwords ($ENV{GRUNTMASTER_SUDO}), '--') if $ENV{GRUNTMASTER_SUDO} && $nobody; $mlimit = 1_000_000_000 if @sudo; # sudo wants a lot of address space my $ret = fork // die 'Cannot fork'; @@ -94,7 +94,8 @@ if ($ret) { setrlimit RLIMIT_NPROC, $nproc, $nproc or die $! if $nobody; POSIX::setgid $nobody ? 65534 : USER; POSIX::setuid $nobody ? 65534 : GROUP; - unshift @ARGV, @sudo if $nobody; + unshift @ARGV, @sudo; + say STDERR "Execing: ", join ' ', map { "'$_'" } @ARGV; exec @ARGV; }