mirror of
https://github.com/Mic92/sops-nix.git
synced 2025-12-26 22:24:59 +08:00
darwin: impl SecureSymlinkChown
This commit is contained in:
Pogobanane
parent
783af739d2
commit
e6ccc740d8
1 changed files with 33 additions and 19 deletions
|
|
@ -3,29 +3,43 @@
|
|||
|
||||
package main
|
||||
|
||||
func SecureSymlinkChown(symlinkToCheck, expectedTarget string, owner, group int) error {
|
||||
//fd, err := unix.Open(symlinkToCheck, unix.O_CLOEXEC|unix.O_PATH|unix.O_NOFOLLOW, 0)
|
||||
//if err != nil {
|
||||
// return fmt.Errorf("Failed to open %s: %w", symlinkToCheck, err)
|
||||
//}
|
||||
//defer unix.Close(fd)
|
||||
import (
|
||||
"fmt"
|
||||
"os"
|
||||
|
||||
//buf := make([]byte, len(expectedTarget)+1) // oversize by one to detect trunc
|
||||
//n, err := unix.Readlinkat(fd, "", buf)
|
||||
//if err != nil {
|
||||
// return fmt.Errorf("couldn't readlinkat %s", symlinkToCheck)
|
||||
//}
|
||||
//if n > len(expectedTarget) || string(buf[:n]) != expectedTarget {
|
||||
// return fmt.Errorf("symlink %s does not point to %s", symlinkToCheck, expectedTarget)
|
||||
//}
|
||||
//err = unix.Fchownat(fd, "", owner, group, unix.AT_EMPTY_PATH)
|
||||
//if err != nil {
|
||||
// return fmt.Errorf("cannot change owner of '%s' to %d/%d: %w", symlinkToCheck, owner, group, err)
|
||||
//}
|
||||
"golang.org/x/sys/unix"
|
||||
)
|
||||
|
||||
func SecureSymlinkChown(symlinkToCheck string, expectedTarget string, owner, group int) error {
|
||||
// not sure what O_PATH is needed for anyways
|
||||
fd, err := unix.Open(symlinkToCheck, unix.O_CLOEXEC|unix.O_SYMLINK|unix.O_NOFOLLOW, 0)
|
||||
if err != nil {
|
||||
return fmt.Errorf("Failed to open %s: %w", symlinkToCheck, err)
|
||||
}
|
||||
defer unix.Close(fd)
|
||||
|
||||
buf := make([]byte, len(expectedTarget)+1) // oversize by one to detect trunc
|
||||
n, err := unix.Readlinkat(fd, "", buf)
|
||||
if err != nil {
|
||||
return fmt.Errorf("couldn't readlinkat %s", symlinkToCheck)
|
||||
}
|
||||
if n > len(expectedTarget) || string(buf[:n]) != expectedTarget {
|
||||
return fmt.Errorf("symlink %s does not point to %s", symlinkToCheck, expectedTarget)
|
||||
}
|
||||
err = unix.Fchownat(fd, "", owner, group, unix.AT_SYMLINK_NOFOLLOW)
|
||||
if err != nil {
|
||||
return fmt.Errorf("cannot change owner of '%s' to %d/%d: %w", symlinkToCheck, owner, group, err)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func MountSecretFs(mountpoint string, keysGid int) error {
|
||||
// NUMSECTORS=128000 # a sector is 512 bytes
|
||||
// mydev=`hdiutil attach -nomount ram://$NUMSECTORS`
|
||||
// newfs_hfs $mydev
|
||||
// mkdir /tmp/mymount
|
||||
// mount -t hfs $mydev /tmp/mymount
|
||||
|
||||
func MountSecretFs(mountpoint string, keysGid int, userMode bool) error {
|
||||
//if err := os.MkdirAll(mountpoint, 0751); err != nil {
|
||||
// return fmt.Errorf("Cannot create directory '%s': %w", mountpoint, err)
|
||||
//}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue