Merge pull request #6591 from taskcluster/issue6590

Generic Worker: fix osGroups feature on Linux

Author: matt-boris

changelog/issue-6590.md

@@ -0,0 +1,5 @@
+audience: users
+level: patch
+reference: issue 6590
+---
+Generic Worker osGroups feature on Linux has been fixed. It never worked on this platform.

workers/generic-worker/helper_posix_test.go

@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"path/filepath"
 	"strconv"
+	"strings"
 )
 
 func helloGoodbye() [][]string {
@@ -154,8 +155,17 @@ func listGroups() [][]string {
 	return [][]string{
 		{
 			"bash",
-			"-c",
-			`USER="$(whoami)"; for group in $(id -nG "${USER}"); do echo "*${group}"; done`,
+			"-ce",
+			strings.Join(
+				[]string{
+					`# make sure listing groups fails if process does not have same permissions as user`,
+					`[ "$(id -nG)" == "$(id -nG $(whoami))" ]`,
+					`for group in $(id -nG); do`,
+					`  echo "*${group}"`,
+					`done`,
+				},
+				"\n",
+			),
 		},
 	}
 }

workers/generic-worker/os_groups_multiuser.go

@@ -4,50 +4,57 @@ package main
 
 import (
 	"fmt"
+	"os/user"
 )
 
 // one instance per task
 type OSGroups struct {
 	Task *TaskRun
 	// keep track of which groups we successfully update
-	AddedGroups []string
+	AddedGroups []*user.Group
 }
 
 func (osGroups *OSGroups) Start() *CommandExecutionError {
-	groups := osGroups.Task.Payload.OSGroups
-	if len(groups) == 0 {
+	groupNames := osGroups.Task.Payload.OSGroups
+	if len(groupNames) == 0 {
 		return nil
 	}
 	if config.RunTasksAsCurrentUser {
-		osGroups.Task.Infof("Not adding task user to group(s) %v since we are running as current user.", groups)
+		osGroups.Task.Infof("Not adding task user to group(s) %v since we are running as current user.", groupNames)
 		return nil
 	}
-	notAddedGroups := []string{}
-	for _, group := range groups {
-		err := addUserToGroup(taskContext.User.Name, group)
-		if err == nil {
-			osGroups.AddedGroups = append(osGroups.AddedGroups, group)
-		} else {
-			notAddedGroups = append(notAddedGroups, group)
-			osGroups.Task.Errorf("[osGroups] Could not add task user to OS group %v: %v", group, err)
+	notAddedGroupNames := []string{}
+	for _, groupName := range groupNames {
+		err := addUserToGroup(taskContext.User.Name, groupName)
+		if err != nil {
+			notAddedGroupNames = append(notAddedGroupNames, groupName)
+			osGroups.Task.Errorf("[osGroups] Could not add task user to OS group %v: %v", groupName, err)
+			continue
 		}
+		group, err := user.LookupGroup(groupName)
+		if err != nil {
+			notAddedGroupNames = append(notAddedGroupNames, groupName)
+			osGroups.Task.Errorf("[osGroups] Could not look up group ID for OS group %v: %v", groupName, err)
+			continue
+		}
+		osGroups.AddedGroups = append(osGroups.AddedGroups, group)
 	}
-	if len(notAddedGroups) > 0 {
-		return MalformedPayloadError(fmt.Errorf("Could not add task user to OS group(s) %v", notAddedGroups))
+	if len(notAddedGroupNames) > 0 {
+		return MalformedPayloadError(fmt.Errorf("Could not add task user to OS group(s) %v", notAddedGroupNames))
 	}
 	return osGroups.refreshTaskCommands()
 }
 
 func (osGroups *OSGroups) Stop(err *ExecutionErrors) {
-	notRemovedGroups := []string{}
+	notRemovedGroupNames := []string{}
 	for _, group := range osGroups.AddedGroups {
-		e := removeUserFromGroup(taskContext.User.Name, group)
+		e := removeUserFromGroup(taskContext.User.Name, group.Name)
 		if e != nil {
-			notRemovedGroups = append(notRemovedGroups, group)
+			notRemovedGroupNames = append(notRemovedGroupNames, group.Name)
 			osGroups.Task.Errorf("[osGroups] Could not remove task user from OS group %v: %v", group, e)
 		}
 	}
-	if len(notRemovedGroups) > 0 {
-		err.add(executionError(internalError, errored, fmt.Errorf("Could not remove task user from OS group(s) %v", notRemovedGroups)))
+	if len(notRemovedGroupNames) > 0 {
+		err.add(executionError(internalError, errored, fmt.Errorf("Could not remove task user from OS group(s) %v", notRemovedGroupNames)))
 	}
 }

workers/generic-worker/os_groups_multiuser_darwin.go

@@ -13,7 +13,3 @@ func addUserToGroup(user, group string) error {
 func removeUserFromGroup(user, group string) error {
 	return host.Run("/usr/sbin/dseditgroup", "-o", "edit", "-d", taskContext.User.Name, "-t", "user", group)
 }
-
-func (osGroups *OSGroups) refreshTaskCommands() (err *CommandExecutionError) {
-	return
-}

workers/generic-worker/os_groups_multiuser_freebsd.go

@@ -15,7 +15,3 @@ func removeUserFromGroup(user, group string) error {
 	// TODO copied from Linux version, need to find out what to do for FreeBSD
 	return host.Run("/usr/bin/gpasswd", "-d", taskContext.User.Name, group)
 }
-
-func (osGroups *OSGroups) refreshTaskCommands() (err *CommandExecutionError) {
-	return
-}

workers/generic-worker/os_groups_multiuser_linux.go

@@ -13,7 +13,3 @@ func addUserToGroup(user, group string) error {
 func removeUserFromGroup(user, group string) error {
 	return host.Run("/usr/bin/gpasswd", "-d", taskContext.User.Name, group)
 }
-
-func (osGroups *OSGroups) refreshTaskCommands() (err *CommandExecutionError) {
-	return
-}

workers/generic-worker/os_groups_multiuser_posix.go

@@ -0,0 +1,23 @@
+//go:build multiuser && (darwin || linux || freebsd)
+
+package main
+
+import (
+	"fmt"
+	"strconv"
+)
+
+func (osGroups *OSGroups) refreshTaskCommands() (err *CommandExecutionError) {
+	gids := make([]uint32, len(osGroups.AddedGroups))
+	for i, group := range osGroups.AddedGroups {
+		gid, err := strconv.Atoi(group.Gid)
+		if err != nil {
+			panic(fmt.Sprintf("Group ID for %q is %q which isn't an int: %v", group.Name, group.Gid, err))
+		}
+		gids[i] = uint32(gid)
+	}
+	for _, command := range osGroups.Task.Commands {
+		command.SysProcAttr.Credential.Groups = gids
+	}
+	return
+}