Skip to content
Snippets Groups Projects
Verified Commit 6794776a authored by Nik | Klampfradler's avatar Nik | Klampfradler
Browse files

[Cache] Refactor privilege dropping code into methods

parent 91132875
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 29 additions and 23 deletions
src/cache.rs
+ 29
23
View file @ 6794776a
...@@ -18,7 +18,7 @@ use std::collections::HashMap; ...@@ -18,7 +18,7 @@ use std::collections::HashMap;
use std::convert::From; use std::convert::From;
use std::time::SystemTime; use std::time::SystemTime;
use libc::{geteuid, seteuid, getpwnam}; use libc::{geteuid, seteuid, getpwnam, uid_t};
use std::ffi::CString; use std::ffi::CString;
use oauth2::basic::BasicTokenResponse; use oauth2::basic::BasicTokenResponse;
...@@ -32,7 +32,7 @@ struct UserToken { ...@@ -32,7 +32,7 @@ struct UserToken {
} }
impl UserToken { impl UserToken {
fn is_expired(&self) -> bool { fn is_expired(&self) -> bool {
match SystemTime::now().duration_since(SystemTime::UNIX_EPOCH) { match SystemTime::now().duration_since(SystemTime::UNIX_EPOCH) {
Ok(d) => d.as_secs() >= self.expires_at, Ok(d) => d.as_secs() >= self.expires_at,
...@@ -58,16 +58,39 @@ impl From<BasicTokenResponse> for UserToken { ...@@ -58,16 +58,39 @@ impl From<BasicTokenResponse> for UserToken {
} }
struct Cache { struct Cache {
user_tokens: HashMap<String, UserToken> user_tokens: HashMap<String, UserToken>,
original_euid: uid_t
} }
impl Cache { impl Cache {
pub fn new() -> Cache { pub fn new() -> Cache {
Cache { Cache {
user_tokens: HashMap::new() user_tokens: HashMap::new(),
original_euid: geteuid()
} }
} }
fn drop_privileges(&self, username: String) -> Result<uid_t, String> {
let nam = match CString::new(username) {
Ok(nam) => nam,
Err(_) => return Err("Invalid username in lookup".to_string())
};
let target_euid = (*getpwnam(nam.as_ptr())).pw_uid;
if target_euid == self.original_euid {
return Ok(self.original_euid);
} else if self.original_euid == 0 {
seteuid(target_euid);
return Ok(target_euid);
}
return Err("Dropping privileges not supported".to_string());
}
fn restore_privileges(&self) {
seteuid(self.original_euid);
}
pub fn load_user_token(&self, owner: String) -> Option<&UserToken> { pub fn load_user_token(&self, owner: String) -> Option<&UserToken> {
return self.user_tokens.get(&owner); return self.user_tokens.get(&owner);
} }
...@@ -80,26 +103,9 @@ impl Cache { ...@@ -80,26 +103,9 @@ impl Cache {
self.user_tokens.remove(&owner); self.user_tokens.remove(&owner);
// Try to remove user's token cache file // Try to remove user's token cache file
let original_euid = geteuid(); self.drop_privileges(owner).ok();
let target_euid = (*getpwnam(CStr::new(owner).ok().unwrap().as_ptr())).pw_uid;
if original_euid != target_euid {
// We are not already running as the target user
if original_euid == 0 {
// If we are root, try dropping privileges to the target user
seteuid(target_euid);
} else {
// Bail out silently if we are not root
return;
}
}
// FIXME Add delete code here // FIXME Add delete code here
self.restore_privileges();
if original_euid != target_euid {
// Restore original privileges if we dropped them earlier
seteuid(original_euid);
}
} }
pub fn cleanup_tokens(&self) { pub fn cleanup_tokens(&self) {
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment