libchromeos: Support setting uid/gid of child processes in process.h

chromeos/process.cc

 // Copyright (c) 2011 The Chromium OS Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <chromeos/process.h>
 
 #include <sys/stat.h>
 #include <sys/types.h>
 #include <sys/wait.h>
 #include <fcntl.h>
+#include <unistd.h>
 
 #include <map>
 
 #include <base/eintr_wrapper.h>
 #include <base/file_util.h>
 #include <base/logging.h>
 #include <base/string_number_conversions.h>
 #include <base/string_util.h>
 #include <base/time.h>
 
 namespace chromeos {
 
 Process::Process() {
 }
 
 Process::~Process() {
 }
 
 bool Process::ProcessExists(pid_t pid) {
   return file_util::DirectoryExists(FilePath(StringPrintf("/proc/%d", pid)));
 }
 
-ProcessImpl::ProcessImpl() : pid_(0) {
+ProcessImpl::ProcessImpl() : pid_(0), uid_(-1), gid_(-1) {

[sosa, 2011/04/17 05:12:46]

seems like the default pid should also be -1 since 0 is generally reserved for
the scheduler, but that's not really in your change.

[kmixter1, 2011/04/17 06:54:30]

I didn't realize that.  However, I guess they are both invalid for pids used by
regular processes.  Seems like -1 would be more correct, though it's not so easy
a fix since vpn-manager looks for == 0.

 }
 
 ProcessImpl::~ProcessImpl() {
   Reset(0);
 }
 
 void ProcessImpl::AddArg(const std::string& arg) {
   arguments_.push_back(arg);
 }
 
 void ProcessImpl::RedirectOutput(const std::string& output_file) {
   output_file_ = output_file;
 }
 
 void ProcessImpl::RedirectUsingPipe(int child_fd, bool is_input) {
   PipeInfo info;
   info.is_input_ = is_input;
   pipe_map_[child_fd] = info;
 }
 
+void ProcessImpl::SetUid(uid_t uid) {
+  uid_ = uid;
+}
+
+void ProcessImpl::SetGid(gid_t gid) {
+  gid_ = gid;
+}
+
 int ProcessImpl::GetPipe(int child_fd) {
   PipeMap::iterator i = pipe_map_.find(child_fd);
   if (i == pipe_map_.end())
     return -1;
   else
     return i->second.parent_fd_;
 }
 
 bool ProcessImpl::PopulatePipeMap() {
   // Verify all target fds are already open.  With this assumption we
@@ skipping 83 matching lines @@
         _exit(127);
       }
       HANDLE_EINTR(dup2(output_handle, STDOUT_FILENO));
       HANDLE_EINTR(dup2(output_handle, STDERR_FILENO));
       // Only close output_handle if it does not happen to be one of
       // the two standard file descriptors we are trying to redirect.
       if (output_handle != STDOUT_FILENO && output_handle != STDERR_FILENO) {
         HANDLE_EINTR(close(output_handle));
       }
     }
+    if (uid_ >= 0 && setresuid(uid_, uid_, uid_) < 0) {
+      int saved_errno = errno;
+      LOG(ERROR) << "Unable to set UID to " << uid_ << ": " << saved_errno;
+      _exit(127);

[sosa, 2011/04/17 05:12:46]

Was looking at docs for exit codes, is 127 appropriate for all of these error
conditions?

[kmixter1, 2011/04/17 06:54:30]

Not sure if you mean the man page for exit statuses, or docs for Process itself.
 I added comments about the meaning and an identifier to use instead of 127.  I
believe 127 is the largest exit status and since 0 and 1 are most common, I
wanted to pick one that seems least likely to be used by an actual process.

+    }
+    if (gid_ >= 0 && setresgid(gid_, gid_, gid_) < 0) {
+      int saved_errno = errno;
+      LOG(ERROR) << "Unable to set GID to " << gid_ << ": " << saved_errno;
+      _exit(127);
+    }
     execv(argv[0], &argv[0]);
     saved_errno = errno;
     LOG(ERROR) << "Exec of " << argv[0] << " failed: " << saved_errno;
     _exit(127);
   } else {
     // Still executing inside the parent process with known child pid.
     arguments_.clear();
     UpdatePid(pid);
     // Close our copy of child side pipes.
     for (PipeMap::iterator i = pipe_map_.begin(); i != pipe_map_.end(); ++i) {
@@ skipping 104 matching lines @@
   return true;
 }
 
 pid_t ProcessImpl::Release() {
   pid_t old_pid = pid_;
   pid_ = 0;
   return old_pid;
 }
 
 }  // namespace chromeos