osutil/sys, client: add sys.RunAsUidGid, use it for auth.json

[chipaca]

If /home is on NFS, trying to read, write or remove the user's
auth.json as root fails.

This PR adds code to drop privileges to the owner of the file before
attempting operating on it.

This fixes lp:1761193.

[chipaca]

Wellp, that didn't work. back to the drawing board.

[bboozzoo]

Have you tried to restore the uid/gid and then runtime.UnlockOSThread() instead of exiting?

[bboozzoo]

Oh, and a buffered channel instead of unbufferred one.

[chipaca]

we're back, baby!

[codecov-io]

Codecov Report

Merging #4983 into master will increase coverage by 0.05%.
The diff coverage is 67.85%.

@@            Coverage Diff             @@
##           master    #4983      +/-   ##
==========================================
+ Coverage   79.12%   79.18%   +0.05%     
==========================================
  Files         478      485       +7     
  Lines       35230    35950     +720     
==========================================
+ Hits        27876    28467     +591     
- Misses       5157     5234      +77     
- Partials     2197     2249      +52

Impacted Files	Coverage Δ
client/login.go	64.1% <67.85%> (-3.12%)	⬇️
cmd/snap/cmd_userd.go	66.66% <0%> (-19.05%)	⬇️
testutil/lowlevel.go	88.78% <0%> (-3.9%)	⬇️
interfaces/builtin/all.go	80.3% <0%> (-3.83%)	⬇️
overlord/snapstate/storehelpers.go	80.76% <0%> (-1.74%)	⬇️
overlord/ifacestate/handlers.go	63.25% <0%> (-1.48%)	⬇️
store/errors.go	71.18% <0%> (-0.95%)	⬇️
client/snap_op.go	80.88% <0%> (-0.79%)	⬇️
cmd/snap-update-ns/utils.go	93.93% <0%> (-0.33%)	⬇️
cmd/snap/cmd_run.go	65.14% <0%> (-0.23%)	⬇️
... and 34 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 2091aae...ef022e8. Read the comment docs.

[bboozzoo]

yay!

[zyga]

Hmm, just return the error directly? :-)

[zyga]

Ah, the diff formatting confused me, never mind :)

[zyga]

Please document this type.

[zyga]

Some comments inline.

[zyga]

Please document this error.

[zyga]

Missing docs :)

[zyga]

Is there a need to use RawSyscall vs Syscall? The difference, AFAIK, is that raw syscall blocks directly and Syscall will ping back to the runtime to say its about to enter and has just left a system call. If there's a need then please document why we use RawSyscall here.

[chipaca]

I'm trusting the go standard library on the distinction here (syscall.Setreuid et al use RawSyscall). The difference is not documented and I don't know enough of the internals to have a good opinion.

[zyga]

I think this function warrants a comment

[zyga]

Can you document if the order is significant and if so, why, please?

[zyga]

While reading I read the code for those. Is there any reason we are not using getres{u,g}id()? It uses one less system call.

[zyga]

LGTM with a nitpick.

[zyga]

Nitpick, That

[chipaca]

I'm torn between fixing it now, or landing it now and fixing it later :-)

[chipaca]

After much poking around, I don't think this is safe to land as is.

It all boils down to golang/go#20676, which is fixed in 1.10 but not before.

Given that this is for use from snap and not snapd, and that contention should be low, we could make it very very unlikely to hit the bug. But with the number of users we have, very unlikely is still quite likely.

The options to fix lp:1761193 seem to me to be:

1. write something in cgo that calls clone and then does the syscalls, and either calls a function back (via an id, as you can't pass pointers around), or does the file opening and returns the descriptor,
2. ignore the contentious contention and land this,
3. move to 1.10, or
4. do the file i/o via a helper (e.g. runuser+cat).

the first one gives me hives, the second will cause very weird bugs, the third is likely a year away, so ... maybe I do the fourth?