Every user may change its user/group ID to the current one.
With an ugly hack, skip the superuser-only part of chuser()
to exercise this rest of the code path in regular tests.
`-user foo` would fail with an ugly
`panic: strconv.Atoi: parsing "foo": invalid syntax`
as returned by `user.LookupId()`, whereas `user.Lookup()` nicely says
`panic: user: unknown user foo`
In chuser() it does not matter whether we check by ID or name first,
so flip the order to get sensible logs without `fmt.Errorf()` wrapping.
- Use unambiguous variable names (w/o package name conflict).
- Fail on invalid input such as the empty string or `:`.
- Do not change group without user, i.e. fail on `:group`.
- Parse input using mnemonic APIs.
- Do not juggle between integer types.
- Unset supplementary groups.
- Use setres[ug]id(2) to match the idiom of OpenBSD base programs.
Includes/Supersedes #1202.
Fixes#927.
I only tested on OpenBSD (so far), hence the split, but other systems
should just work.
Changing the real and effective user/group IDs and the saved
set-user/group-ID is not enough to get rid of intial access permissions.
The list of groups must be cleared also, otherwise a process changing
from, e.g. `root:root` to `nobody:nobody` retains rights to access
`:wheel` files (assuming `root` is a member of the `wheel` group).
For example:
```
# id
uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)
# ./yggdrasil -autoconf -logto /dev/null -user nobody &
[1] 4337
# ps -o command,user,group,supgrp -U nobody
COMMAND USER GROUP SUPGRP
./yggdrasil -aut nobody nobody wheel,kmem,sys,tty,operator,staff,guest
```
Fix that so the process runs as mere
```
COMMAND USER GROUP SUPGRP
./yggdrasil -aut nobody nobody nobody
```
Fixes#927.
different from
https://github.com/yggdrasil-network/yggdrasil-go/pull/817 in that it
can resolve user names, automatically use user's primary gid & allows
specifying gid in the same argument, with `:` eg `username:groupname`.
feel free to criticize & suggest different argument name & description
because i didn't put much of thought to that.
---------
Co-authored-by: Neil <git@neilalexander.dev>
Co-authored-by: VNAT <xepjk@protonmail.com>
Co-authored-by: Neil Alexander <neilalexander@users.noreply.github.com>
