remote-worker: Add ‘--user’.

* src/cuirass/scripts/remote-worker.scm (show-help, %options): Add ‘--user’. (cuirass-remote-worker): Honor it. * doc/cuirass.texi (Invocation): Document it.
2023-11-27 15:26:43 +01:00 · 2023-11-27 15:26:43 +01:00 · 3a6abc17f9
parent 6c9e9fc26f
commit 3a6abc17f9
2 changed files with 17 additions and 0 deletions
--- a/doc/cuirass.texi
+++ b/doc/cuirass.texi
@ -741,6 +741,10 @@ The list of URLs where to look for substitutes by default.
 Use the specific @var{file}s as the public/private key pair used to sign
 the store items being published.

+@item --user=@var{user}
+Change privileges to @var{user} as soon as possible---i.e., once the
+signing key has been read.
+
@item --version
@itemx -V
 Display the actual version of @code{cuirass}.
--- a/src/cuirass/scripts/remote-worker.scm
+++ b/src/cuirass/scripts/remote-worker.scm
@ -27,6 +27,7 @@
  #:use-module (cuirass logging)
  #:use-module (cuirass remote)
  #:use-module (cuirass ui)
+  #:autoload   (cuirass utils) (gather-user-privileges)
  #:use-module (gcrypt pk-crypto)
  #:use-module (guix avahi)
  #:use-module (guix config)
@ -96,6 +97,8 @@ Start a remote build worker.\n" (%program-name))
  (display (G_ "
      --substitute-urls=URLS
                            check for available substitutes at URLS"))
+  (display (G_ "
+  -u, --user=USER           change privileges to USER as soon as possible"))
  (display (G_ "
      --public-key=FILE     use FILE as the public key for signatures"))
  (display (G_ "
@ -116,6 +119,9 @@ Start a remote build worker.\n" (%program-name))
        (option '(#\V "version") #f #f
                (lambda _
                  (show-version-and-exit "cuirass remote-worker")))
+        (option '(#\u "user") #t #f
+                (lambda (opt name arg result)
+                  (alist-cons 'user arg result)))
        (option '(#\w "workers") #t #f
                (lambda (opt name arg result)
                  (alist-cons 'workers (string->number* arg) result)))
@ -463,6 +469,7 @@ exiting."
           (server-address (assoc-ref opts 'server))
           (systems (assoc-ref opts 'systems))
           (urls    (assoc-ref opts 'substitute-urls))
+           (user (assoc-ref opts 'user))
           (public-key
            (read-file-sexp
             (assoc-ref opts 'public-key-file)))
@ -470,6 +477,12 @@ exiting."
            (read-file-sexp
             (assoc-ref opts 'private-key-file))))

+        (when user
+          ;; Now that the private key has been read, drop privileges.
+          (gather-user-privileges user))
+        (when (zero? (getuid))
+          (warning (G_ "running with root privileges, which is not recommended~%")))
+
      ;; Distinguish the worker's GC root directory so that, in case a
      ;; 'cuirass remote-server' process runs on the same machine as a worker,
      ;; the worker's doesn't end up deleting the server's GC roots.