* If not running as root, let the setuid helper kill the build user's

processes before and after the build.
2025-06-27 12:41:15 +02:00 · 2006-12-07 16:33:31 +00:00 · 2006-12-07 16:33:31 +00:00 · f76fdb6d42
commit f76fdb6d42
parent ec23ecc64d
2 changed files with 69 additions and 31 deletions
--- a/src/nix-setuid-helper/main.cc
+++ b/src/nix-setuid-helper/main.cc
@ -66,6 +66,15 @@ static uid_t nameToUid(const string & userName)
 }


+static void checkIfBuildUser(const StringSet & buildUsers,
+    const string & userName)
+{
+    if (buildUsers.find(userName) == buildUsers.end())
+        throw Error(format("user `%1%' is not a member of the build users group")
+            % userName);
+}
+
+
 /* Run `program' under user account `targetUser'.  `targetUser' should
   be a member of `buildUsersGroup'.  The ownership of the current
   directory is changed from the Nix user (uidNix) to the target
@ -80,10 +89,9 @@ static void runBuilder(uid_t uidNix, gid_t gidBuildUsers,
    if (uidTargetUser == 0)
        throw Error("won't setuid to root");

-    /* Verify that the target user is a member of that group. */
-    if (buildUsers.find(targetUser) == buildUsers.end())
-        throw Error(format("user `%1%' is not a member of the build users group")
-            % targetUser);
+    /* Verify that the target user is a member of the build users
+       group. */
+    checkIfBuildUser(buildUsers, targetUser);
    
    /* Chown the current directory, *if* it is owned by the Nix
       account.  The idea is that the current directory is the
@ -118,6 +126,21 @@ static void runBuilder(uid_t uidNix, gid_t gidBuildUsers,
 }


+void killBuildUser(gid_t gidBuildUsers,
+    const StringSet & buildUsers, const string & userName)
+{
+    uid_t uid = nameToUid(userName);
+    
+    /* Verify that the user whose processes we are to kill is a member
+       of the build users group. */
+    checkIfBuildUser(buildUsers, userName);
+
+    assert(uid != 0);
+
+    killUser(uid);
+}
+
+
 #ifndef NIX_SETUID_CONFIG_FILE
 #define NIX_SETUID_CONFIG_FILE "/etc/nix-setuid.conf"
 #endif
@ -204,6 +227,12 @@ static void run(int argc, char * * argv)
        secureChown(-1, gidBuildUsers, uidNix, gidBuildUsers, argv[2]);
    }

+    else if (command == "kill") {
+        /* Syntax: nix-setuid-helper kill <username> */
+        if (argc != 3) throw Error("missing user name");
+        killBuildUser(gidBuildUsers, buildUsers, argv[2]);
+    }
+
    else throw Error ("invalid command");
 }