wip

coreos · Dec 3, 2018 · 1e2728c · 1e2728c
1 parent 30ecf90
commit 1e2728c
Showing 1 changed file with 68 additions and 6 deletions.
diff --git a/rust/src/sysusers.rs b/rust/src/sysusers.rs
@@ -17,6 +17,7 @@
  */
 
 use clap::{App, Arg};
+use libc;
 use failure::Fallible;
 use std::borrow::Cow;
 use std::io::prelude::*;
@@ -318,6 +319,32 @@ impl IndexedSysusers {
     }
 }
 
+#[derive(Default)]
+struct IdIndex {
+    uids: collections::HashMap<u32, String>,
+    gids: collections::HashMap<u32, String>,
+}
+
+impl IdIndex {
+    fn new(sysusers: &IndexedSysusers) -> Self {
+        let mut uids = collections::HashMap::new();
+        let mut gids = collections::HashMap::new();
+
+        for (name, value) in &sysusers.users {
+            if let IdSpecification::Specified(uid) = value.id {
+                uids.insert(uid, name.clone());
+            }
+        }
+        for (name, value) in &sysusers.groups {
+            if let IdSpecification::Specified(gid) = value.id {
+                gids.insert(gid, name.clone());
+            }
+        }
+
+        Self { uids, gids }
+    }
+}
+
 fn parse_sysusers_indexed(f: &mut io::BufReader<fs::File>,
                           indexed: &mut IndexedSysusers) -> Fallible<()> {
     let mut entries = parse_sysusers_stream(f)?;
@@ -352,14 +379,47 @@ fn openat_file_type(d: &openat::Dir, e: &openat::Entry) -> Fallible<openat::Simp
     }
 }
 
-fn find_nonstatic_ownership<P : openat::AsPath>(_dfd: openat::Dir, _path: P) -> Fallible<()> {
-    // for child in dfd.list_dir(path)? {
-    //     let child = child?;
-    //     let meta =
-    // }
+fn analyze_non_root_owned_file<P : AsRef<path::Path>>(p: P, meta: &libc::stat, index: &IdIndex, users: &IndexedSysusers) -> Fallible<()> {
+    let p = p.as_ref();
+    if meta.st_uid != 0 {
+        if !index.uids.contains_key(&meta.st_uid) {
+            eprintln!("sysusers: No static entry for owner {} of {:?}", meta.st_uid, p);
+        }
+    }
+    if meta.st_gid != 0 {
+        if !index.gids.contains_key(&meta.st_gid) {
+            eprintln!("sysusers: No static entry for group {} of {:?}", meta.st_gid, p);
+        }
+    }
     Ok(())
 }
 
+fn find_nonstatic_ownership_recurse<P : AsRef<path::Path>>(root: &openat::Dir, p: P, index: &IdIndex, users: &IndexedSysusers) -> Fallible<()> {
+    let p = p.as_ref();
+    for child in root.list_dir(p)? {
+        let child = child?;
+        let meta = root.metadata(child.file_name())?;
+        let childp = p.join(child.file_name());
+        match meta.simple_type() {
+            openat::SimpleType::Dir => {
+                find_nonstatic_ownership_recurse(root, &childp, index, users)?;
+            },
+            _ => {
+                let stat = meta.stat();
+                if stat.st_uid != 0 || stat.st_gid != 0 {
+                    analyze_non_root_owned_file(&childp, stat, index, users)?;
+                }
+            }
+        }
+     }
+    Ok(())
+}
+
+fn find_nonstatic_ownership(root: &openat::Dir, users: &IndexedSysusers) -> Fallible<()> {
+    let index = IdIndex::new(users);
+    find_nonstatic_ownership_recurse(root, ".", &index, users)
+}
+
 fn load_other_sysusers(sysusers_dir: &openat::Dir) -> Fallible<IndexedSysusers> {
     let mut other_indexed = IndexedSysusers::new();
     // Load and index our *other* sysusers.d entries
@@ -387,7 +447,7 @@ fn postprocess(rootfs: openat::Dir) -> Fallible<()> {
     let sysusers_dirpath = path::Path::new(SYSUSERS_DIR);
     let sysusers_dir = rootfs.sub_dir(sysusers_dirpath)?;
 
-    let other_indexed = load_other_sysusers(&sysusers_dir)?;
+    let mut other_indexed = load_other_sysusers(&sysusers_dir)?;
 
     // Load our auto-generated sysusers.d entries
     let mut my_entries =
@@ -425,6 +485,8 @@ fn postprocess(rootfs: openat::Dir) -> Fallible<()> {
     }
     f.flush()?;
 
+    find_nonstatic_ownership(&rootfs, &other_indexed).map_err(|e| format_err!("Analyzing non-root ownership: {}", e))?;
+
     return Ok(())
 }