From 4e08f696f0c0f2419809e5d4b66882fce57bb2f2 Mon Sep 17 00:00:00 2001
From: Marius Gavrilescu <marius@ieval.ro>
Date: Sun, 25 Jan 2015 21:48:59 +0200
Subject: [PATCH] Run user programs as nobody:nogroup

---
 ex/makevm                        |  2 +-
 gruntmaster-exec                 | 10 +++++++---
 lib/Gruntmaster/Daemon/Format.pm |  2 +-
 3 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/ex/makevm b/ex/makevm
index c1d8c02..c054cf1 100755
--- a/ex/makevm
+++ b/ex/makevm
@@ -25,7 +25,7 @@ squashfs
 9pnet_virtio
 EOF
 install gruntmaster-exec gruntmaster-compile vm/usr/bin/
-sed -i -e "s/setgid 65534/setgid $GROUP/" -e "s/setuid 65534/setuid $USER/" vm/usr/bin/gruntmaster-exec
+sed -i -e "s/USER => 65534/USER => $USER/" -e "s/GROUP => 65534/GROUP => $GROUP/" vm/usr/bin/gruntmaster-exec
 chroot vm update-initramfs -d -k 3.2.0-4-amd64
 chroot vm update-initramfs -c -k 3.2.0-4-amd64
 umount vm/proc
diff --git a/gruntmaster-exec b/gruntmaster-exec
index dec8be3..e7d7363 100755
--- a/gruntmaster-exec
+++ b/gruntmaster-exec
@@ -18,6 +18,9 @@ use constant +{
 	DIED => 5,
 	REJ => 10,
 };
+# These constants are changed by ex/makevm
+use constant USER => 65534;
+use constant GROUP => 65534;
 
 use BSD::Resource qw/setrlimit RLIMIT_AS RLIMIT_FSIZE/;
 use IPC::Signal qw/sig_name sig_num/;
@@ -27,7 +30,7 @@ use Getopt::Long;
 use POSIX qw//;
 use Time::HiRes qw/alarm/;
 
-my (@fds, $timeout, $mlimit, $olimit);
+my (@fds, $timeout, $mlimit, $olimit, $nobody);
 my $close = 1;
 
 GetOptions(
@@ -36,6 +39,7 @@ GetOptions(
 	"mlimit=i"  => \$mlimit,
 	"olimit=i"  => \$olimit,
 	"close!"    => \$close,
+	"nobody!"   => \$nobody,
 );
 
 my $ret = fork // die 'Cannot fork';
@@ -69,8 +73,8 @@ if ($ret) {
 	%ENV = (ONLINE_JUDGE => 1, PATH => $ENV{PATH}, HOME => $ENV{HOME});
 	setrlimit RLIMIT_AS, $mlimit, $mlimit or die $! if $mlimit;
 	setrlimit RLIMIT_FSIZE, $olimit, $olimit or die $! if $olimit;
-	POSIX::setgid 65534; # Set group id to nogroup
-	POSIX::setuid 65534; # Set user id to nobody
+	POSIX::setgid $nobody ? 65534 : USER;
+	POSIX::setuid $nobody ? 65534 : GROUP;
 	exec @ARGV;
 }
 
diff --git a/lib/Gruntmaster/Daemon/Format.pm b/lib/Gruntmaster/Daemon/Format.pm
index 28aa533..529931f 100644
--- a/lib/Gruntmaster/Daemon/Format.pm
+++ b/lib/Gruntmaster/Daemon/Format.pm
@@ -85,7 +85,7 @@ sub mkrun{
 		my ($name, %args) = @_;
 		get_logger->trace("Running $name...");
 		my $basename = fileparse $name, qr/[.][^.]*/s;
-		my @args;
+		my @args = ('--nobody');
 		push @args, '--timeout', $args{timeout} if $args{timeout};
 		push @args, '--mlimit',  $args{mlimit}  if $args{mlimit};
 		push @args, '--olimit',  $args{olimit}  if $args{olimit};
-- 
2.30.2