privilege manage (escalation & degradation) when running as root

[ghost]

#111

Privilege manage when running as root. Store the root privilege and degrade, when root privilege is needed, escalate privilege

With this, sudo xmake install is safe and ok

[waruqi]

Great! 👍

[waruqi]

@titansnow I do not understand why it is safe to do this, and now it seems that sudo xmake can always be passed.

[ghost]

@waruqi when running as root, module privilege will store the root privilege. That is

sudo xmake
uid: 0
gid: 0

privilege store it
uid: 1000 (for example)
gid: 1000

some actions need privilege, get
uid: 0
gid: 0

The way is

1. check that xmake is running as root
2. set uid & gid to normal user.

   uid: 1000
   euid: 1000
   saved-uid: 0
   

3. when spawn a process, the saved-uid will clear so that it's safe with no root privilege

   uid: 1000
   euid: 1000
   saved-uid: 1000
   

4. when call privilege.get(), set to root. Be able because saved-uid

   uid: 0
   euid: 0
   saved-uid: 0
   

An example

$ sudo xmake l
> os.exec('id -u')
1000

[waruqi]

@titansnow This means that when the store privilege (uid, gid 1000), some operations that require root(uid,gid 0) will still fail. So it's safe when run sudo xmake. Is that right?

[ghost]

@waruqi The script inside xmake process could use privilege.get() to get root privilege. But the processes xmake spawns after privilege is stored could not get root privilege. They run as normal user

[ghost]

@waruqi When root privilege is needed, for example installation, call privilege.get() then after this xmake and spawned process will have root privilege

[waruqi]

Got it! It's great! 👍 ❤️

[ghost]

1. launch xmake by sudo xmake -> has root privilege
2. store it -> doesn't has root privilege
3. spawn process like gcc -> doesn't has root privilege, cannot get root privilege
4. do installation
5. privilege.get() -> has root privilege
6. spawn process for installation -> has root privilege

[waruqi]

I understand it. Thanks! 😄