imp: run: don't drop real user/group ids in parent

Problem: The IMP run implementation sets the real user and group id of the process to the effective user and group id in the privileged parent, but this makes it so that the invoking user can no longer deliver signals to the IMP parent process. Move the setuid()/setgid() calls to the child process just before execve(2) is called. The parent IMP thereby maintains the real uid/gid of the invoking user and can handle forwarding of signals from that user to the invoked run command. Since the parent IMP process no longer has a real userid of 0/root, update the call that obtains the userid for setting USER and HOME to use the effective uid.
flux-framework · Nov 2, 2024 · e4df56d · e4df56d
1 parent f09b463
commit e4df56d
Showing 1 changed file with 5 additions and 5 deletions.
diff --git a/src/imp/run.c b/src/imp/run.c
@@ -165,7 +165,7 @@ imp_run (struct imp_state *imp,
         imp_die (1, "run %s: relative path not allowed", name);
 
     /*  Get passwd entry for current user to set HOME and USER */
-    if (!(pwd = getpwuid (getuid ())))
+    if (!(pwd = getpwuid (geteuid ())))
         imp_die (1, "run: failed to find target user");
 
     /*  Set HOME and USER */
@@ -199,6 +199,10 @@ imp_run (struct imp_state *imp,
         /* unblock all signals */
         imp_sigunblock_all ();
 
+        if (setuid (geteuid()) < 0
+            || setgid (getegid()) < 0)
+            imp_die (1, "setuid: %s", strerror (errno));
+
         args[0] = path;
         args[1] = NULL;
 #if CODE_COVERAGE_ENABLED
@@ -271,10 +275,6 @@ int imp_run_privileged (struct imp_state *imp,
     if (!kv_env)
         imp_die (1, "run: error processing command environment");
 
-    if (setuid (geteuid()) < 0
-        || setgid (getegid()) < 0)
-        imp_die (1, "setuid: %s", strerror (errno));
-
     imp_run (imp, name, cf_run, kv_env);
 
     return 0;