Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Check os permissions as if acting as user #1230

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

peterverraedt
Copy link

@peterverraedt peterverraedt commented Mar 13, 2023

This PR proposes to optimize the behaviour of acting as a specified uid/gid for a user, if sftpgo is run as root. We check standard linux permissions as well as extended ACLs. For this we wrap all pkg.go.dev/os calls by a package that checks the permissions first before calling the corresponding function. If not on linux, or sftpgo is not running as root, there is a fallback to the default pkg.go.dev/os calls.

The main benifits are that file permissions are checked, but syscalls to change uid/gid are avoided.

There are two exceptions of operations that are not being checked that a certain uid/gid has access: The ScanQuota function for virtual folders if triggered by an event, because virtual folders are not one-to-one mapped to a user, but that operation only reads files so it should be fine; and the creation of the user "home folder". The latter could be changed by creating a world-writable directory with the sticky bit set.

In case you would consider to merge this, implementing secondary groups in the database model would be the next step, for situations where folders are shared on gid-basis and users can belong to different groups.

(This is a follow up to #1225)

@peterverraedt peterverraedt requested a review from drakkan as a code owner March 13, 2023 19:40
@drakkan
Copy link
Owner

drakkan commented Mar 14, 2023

Thanks for contribution. This seems a potential big change, I'll try to find the time to test and review it after v2.5 release. Do we really need to support linux ACL? I haven't looked into the code, so this might be a trivial question, but CGO dependency introduction is something to consider carefully. Currently the only CGO dependency is sqlite.

In the meantime I suggest using your patch in production so you can see if there are any issues. Thanks

@peterverraedt
Copy link
Author

Sorry for the C-dependency, it is only used in https://github.com/peterverraedt/useros/blob/main/log.go for debugging purposes and can easily be removed.

I'll further test and see whether something pops up.

@drakkan
Copy link
Owner

drakkan commented Mar 14, 2023

Sorry for the C-dependency, it is only used in https://github.com/peterverraedt/useros/blob/main/log.go for debugging purposes and can easily be removed.

great!

As for logging I would like an interface so we can integrate the library logging with SFTPGo, see the following examples

https://github.com/drakkan/sftpgo/blob/main/internal/logger/lego.go
https://github.com/drakkan/sftpgo/blob/main/internal/logger/hclog.go

ignore this comment if the library logger already allows it

I'll further test and see whether something pops up.

Thanks!

@CLAassistant
Copy link

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants