From 59a66c779c9c56c0d2169317b52641dcbc48d29b Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Wed, 30 Jul 2014 15:25:32 +0200
Subject: remote: provide the options --run-as-user and --run-as-group

---
 p11-kit/p11-kit.c | 64 ++++++++++++++++++++++++++++++++++++++++++++++---------
 1 file changed, 54 insertions(+), 10 deletions(-)

diff --git a/p11-kit/p11-kit.c b/p11-kit/p11-kit.c
index 345b1e8..807e4b2 100644
--- a/p11-kit/p11-kit.c
+++ b/p11-kit/p11-kit.c
@@ -135,10 +135,12 @@ p11_kit_remote (int argc,
 {
 	char *socket_file = NULL;
 	CK_FUNCTION_LIST *module;
-	uid_t uid = -1;
-	gid_t gid = -1;
+	uid_t uid = -1, run_as_uid = -1;
+	gid_t gid = -1, run_as_gid = -1;
 	int opt;
-	int ret;
+	int ret, e;
+	const struct passwd* pwd;
+	const struct group* grp;
 
 	enum {
 		opt_verbose = 'v',
@@ -146,6 +148,8 @@ p11_kit_remote (int argc,
 		opt_socket = 's',
 		opt_user = 'u',
 		opt_group = 'g',
+		opt_run_as_user = 'a',
+		opt_run_as_group = 'z',
 	};
 
 	struct option options[] = {
@@ -154,11 +158,15 @@ p11_kit_remote (int argc,
 		{ "socket", required_argument, NULL, opt_socket },
 		{ "user", required_argument, NULL, opt_user },
 		{ "group", required_argument, NULL, opt_group },
+		{ "run-as-user", required_argument, NULL, opt_run_as_user },
+		{ "run-as-group", required_argument, NULL, opt_run_as_group },
 		{ 0 },
 	};
 
 	p11_tool_desc usages[] = {
-		{ 0, "usage: p11-kit remote <module> -s <socket-file> -u <allowed-user> -g <allowed-group>" },
+		{ 0, "usage: p11-kit remote --help" },
+		{ 0, "usage: p11-kit remote <module> -s <socket-file>" },
+		{ 0, "usage: p11-kit remote <module> -s <socket-file> -u <allowed-user> -g <allowed-group> --run-as-user <user> --run-as-group <group>" },
 		{ 0 },
 	};
 
@@ -170,24 +178,38 @@ p11_kit_remote (int argc,
 		case opt_socket:
 			socket_file = strdup(optarg);
 			break;
-		case opt_group: {
-			const struct group* grp = getgrnam(optarg);
+		case opt_group:
+			grp = getgrnam(optarg);
 			if (grp == NULL) {
 				p11_message ("unknown group: %s", optarg);
 				return 2;
 			}
 			gid = grp->gr_gid;
 			break;
-		}
-		case opt_user: {
-			const struct passwd* pwd = getpwnam(optarg);
+		case opt_user:
+			pwd = getpwnam(optarg);
 			if (pwd == NULL) {
 				p11_message ("unknown user: %s", optarg);
 				return 2;
 			}
 			uid = pwd->pw_uid;
 			break;
-		}
+		case opt_run_as_group:
+			grp = getgrnam(optarg);
+			if (grp == NULL) {
+				p11_message ("unknown group: %s", optarg);
+				return 2;
+			}
+			run_as_gid = grp->gr_gid;
+			break;
+		case opt_run_as_user:
+			pwd = getpwnam(optarg);
+			if (pwd == NULL) {
+				p11_message ("unknown user: %s", optarg);
+				return 2;
+			}
+			run_as_uid = pwd->pw_uid;
+			break;
 		case opt_help:
 		case '?':
 			p11_tool_usage (usages, options);
@@ -206,6 +228,28 @@ p11_kit_remote (int argc,
 		return 2;
 	}
 
+	if (run_as_gid != -1) {
+		if (setgid(run_as_gid) == -1) {
+			e = errno;
+			p11_message("cannot set gid to %u: %s\n", (unsigned)run_as_gid, strerror(e));
+			return 1;
+		}
+
+		if (setgroups(1, &run_as_gid) == -1) {
+			e = errno;
+			p11_message("cannot setgroups to %u: %s\n", (unsigned)run_as_gid, strerror(e));
+			return 1;
+		}
+	}
+
+	if (run_as_uid != -1) {
+		if (setuid(run_as_uid) == -1) {
+			e = errno;
+			p11_message("cannot set uid to %u: %s\n", (unsigned)run_as_uid, strerror(e));
+			return 1;
+		}
+	}
+
 	if (argc != 1) {
 		p11_message ("specify the module to remote");
 		return 2;
-- 
cgit v1.2.1