From 0eb9f4929dea257d43ba816afed967f74efd61ed Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Patrick=20L=C3=BChne?= Date: Tue, 26 May 2020 05:44:08 +0200 Subject: [PATCH] Execute script with git permissions --- github-fast-env/bin/github-fast-env | 2 +- github-fast-env/bin/github-fast-envd | 106 ++++++++++++++------------- github-fast-env/github-fast-env.rb | 5 +- 3 files changed, 59 insertions(+), 54 deletions(-) diff --git a/github-fast-env/bin/github-fast-env b/github-fast-env/bin/github-fast-env index 059ba05..fa8821c 100644 --- a/github-fast-env/bin/github-fast-env +++ b/github-fast-env/bin/github-fast-env @@ -1,2 +1,2 @@ #/usr/bin/env bash -/usr/lib/github-fast-env/github-fast-env.rb "$@" +sudo /usr/lib/github-fast-env/github-fast-env.rb "$@" diff --git a/github-fast-env/bin/github-fast-envd b/github-fast-env/bin/github-fast-envd index 60052a5..2c6020a 100644 --- a/github-fast-env/bin/github-fast-envd +++ b/github-fast-env/bin/github-fast-envd @@ -176,11 +176,11 @@ while true mode = arguments[1] if mode == "named-pipes" - if arguments.length < 3 + if arguments.length < 4 raise ClientError.new "malformed command" end elsif mode == "pseudoterminal" - if arguments.length < 4 + if arguments.length < 5 raise ClientError.new "malformed command" end @@ -189,71 +189,75 @@ while true raise ClientError.new "unknown mode (#{mode})" end - script_path = Base64.decode64(arguments.last) + working_directory = Base64.decode64(arguments[-2]) + script_path = Base64.decode64(arguments[-1]) connection_id += 1 child_process = fork { - process_id = Process.pid - control_socket.puts "pid #{process_id}" + Dir.chdir(working_directory) do + process_id = Process.pid + control_socket.puts "pid #{process_id}" - exit_code = "unknown" + exit_code = "unknown" - if mode == "named-pipes" - set_up_named_pipes(control_socket, connection_id) - else - set_up_pseudoterminal(control_socket, pseudoterminal_path) - end + if mode == "named-pipes" + set_up_named_pipes(control_socket, connection_id) + else + set_up_pseudoterminal(control_socket, pseudoterminal_path) + end - $original_stderr.puts " executing script #{script_path} (#{process_id})" + Process.gid = Process.egid = "git" + Process.uid = Process.euid = "git" + + $original_stderr.puts " executing script #{script_path} (#{process_id})" - begin begin - load script_path, true - rescue SystemExit => error - $original_stderr.puts " exit code: #{error.status}" - exit_code = error.status + begin + load script_path, true + rescue SystemExit => error + $original_stderr.puts " exit code: #{error.status}" + exit_code = error.status + rescue StandardError => error + $stdin = $original_stdin + $stdout = $original_stdout + $stderr = $original_stderr + + raise ClientScriptError.new error + end + rescue ClientScriptError => error + encoded_error_output = Base64.encode64(error.source.full_message).delete("\n") + $original_stderr.puts " error executing script, ignoring request" + begin + control_socket.puts "script_error #{encoded_error_output}" + rescue + end + rescue ClientError => error + $original_stderr.puts " error communicating with client, ignoring request (#{error})" + begin + control_socket.puts "error #{error}" + rescue + end rescue StandardError => error - $stdin = $original_stdin - $stdout = $original_stdout - $stderr = $original_stderr - - raise ClientScriptError.new error + $original_stderr.puts " error, ignoring request (#{error})" + begin + control_socket.puts "error internal server error" + rescue + end end - rescue ClientScriptError => error - encoded_error_output = Base64.encode64(error.source.full_message).delete("\n") - $original_stderr.puts " error executing script, ignoring request" + begin - control_socket.puts "script_error #{encoded_error_output}" + control_socket.puts "done #{exit_code}" rescue end - rescue ClientError => error - $original_stderr.puts " error communicating with client, ignoring request (#{error})" - begin - control_socket.puts "error #{error}" - rescue - end - rescue StandardError => error - $original_stderr.puts " error, ignoring request (#{error})" - begin - control_socket.puts "error internal server error" - rescue + control_socket.close + + if mode == "named-pipes" + clean_up_named_pipes(control_socket, connection_id) end + + $original_stderr.puts " finished handling request (#{process_id})" end - - begin - control_socket.puts "done #{exit_code}" - rescue - end - control_socket.close - - if mode == "named-pipes" - clean_up_named_pipes(control_socket, connection_id) - end - - $original_stderr.puts " finished handling request (#{process_id})" - - Kernel.exit! } Process.detach(child_process) diff --git a/github-fast-env/github-fast-env.rb b/github-fast-env/github-fast-env.rb index 541ead4..a697619 100644 --- a/github-fast-env/github-fast-env.rb +++ b/github-fast-env/github-fast-env.rb @@ -156,6 +156,7 @@ end log "info", "connected to control socket" +working_directory = Base64.encode64(Dir.pwd).delete("\n") encoded_script_path = Base64.encode64(script_path).delete("\n") read_ios = [$control_socket] @@ -164,9 +165,9 @@ if $options[:interactive] pseudoterminal_path = File.readlink("/proc/self/fd/0") encoded_pseudoterminal_path = Base64.encode64(pseudoterminal_path).delete("\n") - $control_socket.puts "new v1 pseudoterminal #{encoded_pseudoterminal_path} #{encoded_script_path}" + $control_socket.puts "new v1 pseudoterminal #{encoded_pseudoterminal_path} #{working_directory} #{encoded_script_path}" else - $control_socket.puts "new v1 named-pipes #{encoded_script_path}" + $control_socket.puts "new v1 named-pipes #{working_directory} #{encoded_script_path}" end pipes = {"stdin" => nil, "stdout" => nil, "stderr" => nil}