open-nomad/helper/users/lookup.go

package users

import (
	"fmt"
	"os"
	"os/user"
	"strconv"
	"sync"

	"github.com/hashicorp/go-multierror"
)

// lock is used to serialize all user lookup at the process level, because
// some NSS implementations are not concurrency safe
var lock sync.Mutex

// Lookup username while holding a global process lock.
func Lookup(username string) (*user.User, error) {
	lock.Lock()
	defer lock.Unlock()
	return user.Lookup(username)
}

// LookupGroupId while holding a global process lock.
func LookupGroupId(gid string) (*user.Group, error) {
	lock.Lock()
	defer lock.Unlock()
	return user.LookupGroupId(gid)
}

// Current returns the current user, acquired while holding a global process
// lock.
func Current() (*user.User, error) {
	lock.Lock()
	defer lock.Unlock()
	return user.Current()
}

// WriteFileFor is like os.WriteFile except if possible it chowns the file to
// the specified user (possibly from Task.User) and sets the permissions to
// 0o600.
//
// If chowning fails (either due to OS or Nomad being unprivileged), the file
// will be left world readable (0o666).
//
// On failure a multierror with both the original and fallback errors will be
// returned.
func WriteFileFor(path string, contents []byte, username string) error {
	// Don't even bother trying to chown to an empty username
	var origErr error
	if username != "" {
		origErr := writeFileFor(path, contents, username)
		if origErr == nil {
			// Success!
			return nil
		}
	}

	// Fallback to world readable
	if err := os.WriteFile(path, contents, 0o666); err != nil {
		if origErr != nil {
			// Return both errors
			return &multierror.Error{
				Errors: []error{origErr, err},
			}
		} else {
			return err
		}
	}

	return nil
}

func writeFileFor(path string, contents []byte, username string) error {
	user, err := Lookup(username)
	if err != nil {
		return err
	}

	uid, err := strconv.Atoi(user.Uid)
	if err != nil {
		return fmt.Errorf("error parsing uid: %w", err)
	}

	if err := os.WriteFile(path, contents, 0o600); err != nil {
		return err
	}

	if err := os.Chown(path, uid, -1); err != nil {
		// Delete the file so that the fallback method properly resets
		// permissions.
		_ = os.Remove(path)
		return err
	}

	return nil
}
client: protect user lookups with global lock (#14742) * client: protect user lookups with global lock This PR updates Nomad client to always do user lookups while holding a global process lock. This is to prevent concurrency unsafe implementations of NSS, but still enabling NSS lookups of users (i.e. cannot not use osusergo). * cl: add cl 2022-09-29 14:30:13 +00:00			`package users`

			`import (`
Add option to expose workload token to task (#15755) Add `identity` jobspec block to expose workload identity tokens to tasks. --------- Co-authored-by: Anders <mail@anars.dk> Co-authored-by: Tim Gross <tgross@hashicorp.com> Co-authored-by: Michael Schurter <mschurter@hashicorp.com> 2023-02-02 18:59:14 +00:00			`"fmt"`
			`"os"`
client: protect user lookups with global lock (#14742) * client: protect user lookups with global lock This PR updates Nomad client to always do user lookups while holding a global process lock. This is to prevent concurrency unsafe implementations of NSS, but still enabling NSS lookups of users (i.e. cannot not use osusergo). * cl: add cl 2022-09-29 14:30:13 +00:00			`"os/user"`
Add option to expose workload token to task (#15755) Add `identity` jobspec block to expose workload identity tokens to tasks. --------- Co-authored-by: Anders <mail@anars.dk> Co-authored-by: Tim Gross <tgross@hashicorp.com> Co-authored-by: Michael Schurter <mschurter@hashicorp.com> 2023-02-02 18:59:14 +00:00			`"strconv"`
client: protect user lookups with global lock (#14742) * client: protect user lookups with global lock This PR updates Nomad client to always do user lookups while holding a global process lock. This is to prevent concurrency unsafe implementations of NSS, but still enabling NSS lookups of users (i.e. cannot not use osusergo). * cl: add cl 2022-09-29 14:30:13 +00:00			`"sync"`
Add option to expose workload token to task (#15755) Add `identity` jobspec block to expose workload identity tokens to tasks. --------- Co-authored-by: Anders <mail@anars.dk> Co-authored-by: Tim Gross <tgross@hashicorp.com> Co-authored-by: Michael Schurter <mschurter@hashicorp.com> 2023-02-02 18:59:14 +00:00
			`"github.com/hashicorp/go-multierror"`
client: protect user lookups with global lock (#14742) * client: protect user lookups with global lock This PR updates Nomad client to always do user lookups while holding a global process lock. This is to prevent concurrency unsafe implementations of NSS, but still enabling NSS lookups of users (i.e. cannot not use osusergo). * cl: add cl 2022-09-29 14:30:13 +00:00			`)`

			`// lock is used to serialize all user lookup at the process level, because`
			`// some NSS implementations are not concurrency safe`
client: defer `nobody` user lookup so Windows doesn't panic (#14790) In #14742 we introduced a cached lookup of the `nobody` user, which is only ever called on Unixish machines. But the initial caching was being done in an `init` block, which meant it was being run on Windows as well. This prevents the Nomad agent from starting on Windows. An alternative fix here would be to have a separate `init` block for Windows and Unix, but this potentially masks incorrect behavior if we accidentally added a call to the `Nobody()` method on Windows later. This way we're forced to handle the error in the caller. 2022-10-04 15:52:12 +00:00			`var lock sync.Mutex`
client: protect user lookups with global lock (#14742) * client: protect user lookups with global lock This PR updates Nomad client to always do user lookups while holding a global process lock. This is to prevent concurrency unsafe implementations of NSS, but still enabling NSS lookups of users (i.e. cannot not use osusergo). * cl: add cl 2022-09-29 14:30:13 +00:00
			`// Lookup username while holding a global process lock.`
			`func Lookup(username string) (*user.User, error) {`
			`lock.Lock()`
			`defer lock.Unlock()`
			`return user.Lookup(username)`
			`}`

			`// LookupGroupId while holding a global process lock.`
			`func LookupGroupId(gid string) (*user.Group, error) {`
			`lock.Lock()`
			`defer lock.Unlock()`
			`return user.LookupGroupId(gid)`
			`}`

			`// Current returns the current user, acquired while holding a global process`
			`// lock.`
			`func Current() (*user.User, error) {`
			`lock.Lock()`
			`defer lock.Unlock()`
			`return user.Current()`
			`}`
Add option to expose workload token to task (#15755) Add `identity` jobspec block to expose workload identity tokens to tasks. --------- Co-authored-by: Anders <mail@anars.dk> Co-authored-by: Tim Gross <tgross@hashicorp.com> Co-authored-by: Michael Schurter <mschurter@hashicorp.com> 2023-02-02 18:59:14 +00:00
			`// WriteFileFor is like os.WriteFile except if possible it chowns the file to`
			`// the specified user (possibly from Task.User) and sets the permissions to`
			`// 0o600.`
			`//`
			`// If chowning fails (either due to OS or Nomad being unprivileged), the file`
			`// will be left world readable (0o666).`
			`//`
			`// On failure a multierror with both the original and fallback errors will be`
			`// returned.`
			`func WriteFileFor(path string, contents []byte, username string) error {`
			`// Don't even bother trying to chown to an empty username`
			`var origErr error`
			`if username != "" {`
			`origErr := writeFileFor(path, contents, username)`
			`if origErr == nil {`
			`// Success!`
			`return nil`
			`}`
			`}`

			`// Fallback to world readable`
			`if err := os.WriteFile(path, contents, 0o666); err != nil {`
			`if origErr != nil {`
			`// Return both errors`
			`return &multierror.Error{`
			`Errors: []error{origErr, err},`
			`}`
			`} else {`
			`return err`
			`}`
			`}`

			`return nil`
			`}`

			`func writeFileFor(path string, contents []byte, username string) error {`
			`user, err := Lookup(username)`
			`if err != nil {`
			`return err`
			`}`

			`uid, err := strconv.Atoi(user.Uid)`
			`if err != nil {`
			`return fmt.Errorf("error parsing uid: %w", err)`
			`}`

			`if err := os.WriteFile(path, contents, 0o600); err != nil {`
			`return err`
			`}`

			`if err := os.Chown(path, uid, -1); err != nil {`
			`// Delete the file so that the fallback method properly resets`
			`// permissions.`
			`_ = os.Remove(path)`
			`return err`
			`}`

			`return nil`
			`}`