Skip to content

Commit

Permalink
cli: Explicitly require root privileges
Browse files Browse the repository at this point in the history
We do this in the install flow, do it for CLI verbs like
`status`, `update|upgrade` etc.

Signed-off-by: Colin Walters <[email protected]>
  • Loading branch information
cgwalters committed Dec 19, 2023
1 parent 38fc67a commit 7e40a48
Show file tree
Hide file tree
Showing 3 changed files with 15 additions and 1 deletion.
1 change: 1 addition & 0 deletions lib/src/cli.rs
Original file line number Diff line number Diff line change
Expand Up @@ -245,6 +245,7 @@ pub(crate) fn require_root() -> Result<()> {
/// A few process changes that need to be made for writing.
#[context("Preparing for write")]
pub(crate) async fn prepare_for_write() -> Result<()> {
crate::cli::require_root()?;
if ostree_ext::container_utils::is_ostree_container()? {
anyhow::bail!(
"Detected container (ostree base); this command requires a booted host system."
Expand Down
13 changes: 12 additions & 1 deletion lib/src/privtests.rs
Original file line number Diff line number Diff line change
Expand Up @@ -104,13 +104,24 @@ pub(crate) fn impl_run_container() -> Result<()> {
let sh = Shell::new()?;
let host: Host = serde_yaml::from_str(&cmd!(sh, "bootc status").read()?)?;
assert!(host.status.is_container);
println!("ok status");

for c in ["upgrade", "update"] {
let o = Command::new("bootc").arg(c).output()?;
let st = o.status;
assert!(!st.success());
let stderr = String::from_utf8(o.stderr)?;
assert!(stderr.contains("this command requires a booted host system"));
assert!(stderr.contains("This command requires full root privileges"));
}
println!("ok upgrade/update are errors in container");

let o = Command::new("runuser")
.args(["-u", "bin", "bootc", "upgrade"])
.output()?;
assert!(!o.status.success());
let stderr = String::from_utf8(o.stderr)?;
assert!(stderr.contains("requires root privileges"));

println!("ok container integration testing");
Ok(())
}
Expand Down
2 changes: 2 additions & 0 deletions lib/src/status.rs
Original file line number Diff line number Diff line change
Expand Up @@ -261,6 +261,7 @@ pub(crate) fn get_status(
}

/// Implementation of the `bootc status` CLI command.
#[context("Status")]
pub(crate) async fn status(opts: super::cli::StatusOpts) -> Result<()> {
let host = if ostree_ext::container_utils::is_ostree_container()? {
let status = HostStatus {
Expand All @@ -271,6 +272,7 @@ pub(crate) async fn status(opts: super::cli::StatusOpts) -> Result<()> {
r.status = status;
r
} else {
crate::cli::require_root()?;
let sysroot = super::cli::get_locked_sysroot().await?;
let booted_deployment = sysroot.booted_deployment();
let (_deployments, host) = get_status(&sysroot, booted_deployment.as_ref())?;
Expand Down

0 comments on commit 7e40a48

Please sign in to comment.