Merge pull request #2534 from CodethinkLabs/richardmaw/non-home-dir-w…

…orkdirs Further support for working with sudo and non-home directories
systemd · Mar 20, 2024 · 2b22dbd · 2b22dbd
2 parents f4151aa + f5a5096
commit 2b22dbd
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 4 deletions.
diff --git a/mkosi/__init__.py b/mkosi/__init__.py
@@ -4058,7 +4058,7 @@ def sync_repository_metadata(context: Context) -> None:
 
 def run_sync(args: Args, config: Config, *, resources: Path) -> None:
     if os.getuid() == 0:
-        os.setgroups(os.getgrouplist(INVOKING_USER.name(), INVOKING_USER.gid))
+        os.setgroups(INVOKING_USER.extra_groups())
         os.setgid(INVOKING_USER.gid)
         os.setuid(INVOKING_USER.uid)
 

diff --git a/mkosi/run.py b/mkosi/run.py
@@ -139,6 +139,7 @@ def run(
     input: Optional[str] = None,
     user: Optional[int] = None,
     group: Optional[int] = None,
+    extra_groups: Optional[Sequence[int]] = None,
     env: Mapping[str, str] = {},
     cwd: Optional[Path] = None,
     log: bool = True,
@@ -202,6 +203,7 @@ def preexec() -> None:
                 text=True,
                 user=user,
                 group=group,
+                extra_groups=extra_groups,
                 env=env,
                 cwd=cwd,
                 preexec_fn=preexec,

diff --git a/mkosi/user.py b/mkosi/user.py
@@ -7,6 +7,7 @@
 import os
 import pwd
 import tempfile
+from collections.abc import Sequence
 from pathlib import Path
 
 from mkosi.log import die
@@ -25,7 +26,11 @@ class INVOKING_USER:
     def init(cls) -> None:
         name = cls.name()
         home = cls.home()
-        logging.debug(f"Running as user '{name}' ({cls.uid}:{cls.gid}) with home {home}.")
+        extra_groups = cls.extra_groups()
+        logging.debug(
+            f"Running as user '{name}' ({cls.uid}:{cls.gid}) with home {home} "
+            f"and extra groups {extra_groups}."
+        )
 
     @classmethod
     def is_running_user(cls) -> bool:
@@ -41,6 +46,11 @@ def name(cls) -> str:
     def home(cls) -> Path:
         return Path(f"~{cls.name()}").expanduser()
 
+    @classmethod
+    @functools.lru_cache(maxsize=1)
+    def extra_groups(cls) -> Sequence[int]:
+        return os.getgrouplist(cls.name(), cls.gid)
+
     @classmethod
     def is_regular_user(cls) -> bool:
         return cls.uid >= 1000
@@ -58,17 +68,21 @@ def cache_dir(cls) -> Path:
 
     @classmethod
     def mkdir(cls, path: Path) -> Path:
-        cond = not cls.invoked_as_root or (cls.is_regular_user() and path.is_relative_to(cls.home()))
+        cond = (
+            not cls.invoked_as_root or
+            (cls.is_regular_user() and any(p.exists() and p.stat().st_uid == cls.uid for p in path.parents))
+        )
         run(
             ["mkdir", "--parents", path],
             user=cls.uid if cond else os.getuid(),
             group=cls.gid if cond else os.getgid(),
+            extra_groups=cls.extra_groups() if cond else None,
         )
         return path
 
     @classmethod
     def rchown(cls, path: Path) -> None:
-        if cls.is_regular_user() and path.is_relative_to(INVOKING_USER.home()) and path.exists():
+        if cls.is_regular_user() and any(p.stat().st_uid == cls.uid for p in path.parents) and path.exists():
             run(["chown", "--recursive", f"{INVOKING_USER.uid}:{INVOKING_USER.gid}", path])