diff --git a/internal/app/sensor/target/target_app.go b/internal/app/sensor/target/target_app.go index 78ff57ed8f..f31e623f41 100644 --- a/internal/app/sensor/target/target_app.go +++ b/internal/app/sensor/target/target_app.go @@ -6,11 +6,12 @@ import ( "golang.org/x/sys/unix" "os" "os/exec" - "os/user" - "strconv" + "strings" "syscall" log "github.com/sirupsen/logrus" + + "github.com/docker-slim/docker-slim/pkg/system" ) //copied from libcontainer @@ -93,33 +94,34 @@ func Start(appName string, appArgs []string, appDir, appUser string, runTargetAs app.SysProcAttr = &syscall.SysProcAttr{} } - userInfo, err := user.Lookup(appUser) - if err == nil { - var gid int64 - uid, err := strconv.ParseInt(userInfo.Uid, 0, 32) + appUserParts := strings.Split(appUser, ":") + if len(appUserParts) > 0 { + uid, gid, err := system.ResolveUser(appUserParts[0]) if err == nil { - gid, err = strconv.ParseInt(userInfo.Gid, 0, 32) - if err == nil { - app.SysProcAttr.Credential = &syscall.Credential{ - Uid: uint32(uid), - Gid: uint32(gid), + if len(appUserParts) > 1 { + xgid, err := system.ResolveGroup(appUserParts[1]) + if err == nil { + gid = xgid + } else { + log.Errorf("sensor.startTargetApp: error resolving group identity (%v/%v) - %v", appUser, appUserParts[1], err) } + } - log.Debugf("sensor.startTargetApp: start target as user (%s) - (uid=%d,gid=%d)", appUser, uid, gid) + app.SysProcAttr.Credential = &syscall.Credential{ + Uid: uid, + Gid: gid, + } - if err = fixStdioPermissions(int(uid)); err != nil { - log.Errorf("sensor.startTargetApp: error fixing i/o perms for user (%v/%v) - %v", appUser, uid, err) - } - } else { - log.Errorf("sensor.startTargetApp: error converting user gid (%v) - %v", appUser, err) + log.Debugf("sensor.startTargetApp: start target as user (%s) - (uid=%d,gid=%d)", appUser, uid, gid) + + if err = fixStdioPermissions(int(uid)); err != nil { + log.Errorf("sensor.startTargetApp: error fixing i/o perms for user (%v/%v) - %v", appUser, uid, err) } + } else { - log.Errorf("sensor.startTargetApp: error converting user uid (%v) - %v", appUser, err) + log.Errorf("sensor.startTargetApp: error resolving user identity (%v/%v) - %v", appUser, appUserParts[0], err) } - } else { - log.Errorf("sensor.startTargetApp: error getting user info (%v) - %v", appUser, err) } - } app.Dir = appDir diff --git a/pkg/system/system.go b/pkg/system/system.go index b185d19bb4..1c2fdef02d 100644 --- a/pkg/system/system.go +++ b/pkg/system/system.go @@ -1,5 +1,10 @@ package system +import ( + "os/user" + "strconv" +) + type SystemInfo struct { Sysname string Nodename string @@ -10,3 +15,52 @@ type SystemInfo struct { OsName string OsBuild string } + +func ResolveUser(identity string) (uint32, uint32, error) { + var userInfo *user.User + if _, err := strconv.ParseUint(identity, 10, 32); err == nil { + userInfo, err = user.LookupId(identity) + if err != nil { + return 0, 0, err + } + } else { + userInfo, err = user.Lookup(identity) + if err != nil { + return 0, 0, err + } + } + + uid, err := strconv.ParseUint(userInfo.Uid, 10, 32) + if err != nil { + return 0, 0, err + } + + gid, err := strconv.ParseUint(userInfo.Gid, 10, 32) + if err != nil { + return 0, 0, err + } + + return uint32(uid), uint32(gid), nil +} + +func ResolveGroup(identity string) (uint32, error) { + var groupInfo *user.Group + if _, err := strconv.ParseUint(identity, 10, 32); err == nil { + groupInfo, err = user.LookupGroupId(identity) + if err != nil { + return 0, err + } + } else { + groupInfo, err = user.LookupGroup(identity) + if err != nil { + return 0, err + } + } + + gid, err := strconv.ParseUint(groupInfo.Gid, 10, 32) + if err != nil { + return 0, err + } + + return uint32(gid), nil +}