Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow Linux setuid/setgid #646

Merged
merged 3 commits into from
Apr 13, 2024
Merged

Allow Linux setuid/setgid #646

merged 3 commits into from
Apr 13, 2024

Conversation

christopher-conley
Copy link
Contributor

@christopher-conley christopher-conley commented Jul 23, 2023
edited
Loading

This commit allows webhook to setuid/setgid when running on Linux. It bumps the version dependency for modules golang.org/x/net and golang.org/x/sys to v0.7.0 (for both), removes the Linux GOO from droppriv_nope.go, and removes the Linux GOO negation from droppriv_unix.go.

Tested with:

go get -d

CGO_ENABLED=0 go build -ldflags="-s -w"

Webhook compiled correctly, launched & went resident, setuid/setgid properly according the parameters fed to it, and correctly answered hook requests.

Forgot to include the test result:

builder@S4HRH9BLKDKBXTD:~/git/webhook/test$ go test ./..
ok      github.com/adnanh/webhook       12.079s

And here's the verbose test output:

builder@S4HRH9BLKDKBXTD:~/git/webhook/test$ go test ./..
=== RUN   TestStaticParams
--- PASS: TestStaticParams (0.00s)
=== RUN   TestWebhook
=== RUN   TestWebhook/github@test/hooks.json.tmpl
=== RUN   TestWebhook/github-multi-sig@test/hooks.json.tmpl
=== RUN   TestWebhook/github-multi-sig-fail@test/hooks.json.tmpl
=== RUN   TestWebhook/bitbucket@test/hooks.json.tmpl
=== RUN   TestWebhook/gitlab@test/hooks.json.tmpl
=== RUN   TestWebhook/xml@test/hooks.json.tmpl
=== RUN   TestWebhook/txt-raw@test/hooks.json.tmpl
=== RUN   TestWebhook/payload-json-array@test/hooks.json.tmpl
=== RUN   TestWebhook/slash-in-hook-id@test/hooks.json.tmpl
=== RUN   TestWebhook/multipart@test/hooks.json.tmpl
=== RUN   TestWebhook/issue-471@test/hooks.json.tmpl
=== RUN   TestWebhook/issue-471-and@test/hooks.json.tmpl
=== RUN   TestWebhook/missing-cmd-arg@test/hooks.json.tmpl
=== RUN   TestWebhook/missing-env-arg@test/hooks.json.tmpl
=== RUN   TestWebhook/empty-payload-signature@test/hooks.json.tmpl
=== RUN   TestWebhook/request-source@test/hooks.json.tmpl
=== RUN   TestWebhook/global_disallowed_method@test/hooks.json.tmpl
=== RUN   TestWebhook/disallowed_method@test/hooks.json.tmpl
=== RUN   TestWebhook/empty_payload@test/hooks.json.tmpl
=== RUN   TestWebhook/empty_payload@test/hooks.json.tmpl#01
=== RUN   TestWebhook/empty_payload@test/hooks.json.tmpl#02
=== RUN   TestWebhook/don't_capture_output_on_success_by_default@test/hooks.json.tmpl
=== RUN   TestWebhook/capture_output_on_success_with_flag_set@test/hooks.json.tmpl
=== RUN   TestWebhook/don't_capture_output_on_error_by_default@test/hooks.json.tmpl
=== RUN   TestWebhook/capture_output_on_error_with_extra_flag_set@test/hooks.json.tmpl
=== RUN   TestWebhook/static_params_should_pass@test/hooks.json.tmpl
=== RUN   TestWebhook/command_with_space_logs_warning@test/hooks.json.tmpl
=== RUN   TestWebhook/unsupported_content_type_error@test/hooks.json.tmpl
=== RUN   TestWebhook/github@test/hooks.yaml.tmpl
=== RUN   TestWebhook/github-multi-sig@test/hooks.yaml.tmpl
=== RUN   TestWebhook/github-multi-sig-fail@test/hooks.yaml.tmpl
=== RUN   TestWebhook/bitbucket@test/hooks.yaml.tmpl
=== RUN   TestWebhook/gitlab@test/hooks.yaml.tmpl
=== RUN   TestWebhook/xml@test/hooks.yaml.tmpl
=== RUN   TestWebhook/txt-raw@test/hooks.yaml.tmpl
=== RUN   TestWebhook/payload-json-array@test/hooks.yaml.tmpl
=== RUN   TestWebhook/slash-in-hook-id@test/hooks.yaml.tmpl
=== RUN   TestWebhook/multipart@test/hooks.yaml.tmpl
=== RUN   TestWebhook/issue-471@test/hooks.yaml.tmpl
=== RUN   TestWebhook/issue-471-and@test/hooks.yaml.tmpl
=== RUN   TestWebhook/missing-cmd-arg@test/hooks.yaml.tmpl
=== RUN   TestWebhook/missing-env-arg@test/hooks.yaml.tmpl
=== RUN   TestWebhook/empty-payload-signature@test/hooks.yaml.tmpl
=== RUN   TestWebhook/request-source@test/hooks.yaml.tmpl
=== RUN   TestWebhook/global_disallowed_method@test/hooks.yaml.tmpl
=== RUN   TestWebhook/disallowed_method@test/hooks.yaml.tmpl
=== RUN   TestWebhook/empty_payload@test/hooks.yaml.tmpl
=== RUN   TestWebhook/empty_payload@test/hooks.yaml.tmpl#01
=== RUN   TestWebhook/empty_payload@test/hooks.yaml.tmpl#02
=== RUN   TestWebhook/don't_capture_output_on_success_by_default@test/hooks.yaml.tmpl
=== RUN   TestWebhook/capture_output_on_success_with_flag_set@test/hooks.yaml.tmpl
=== RUN   TestWebhook/don't_capture_output_on_error_by_default@test/hooks.yaml.tmpl
=== RUN   TestWebhook/capture_output_on_error_with_extra_flag_set@test/hooks.yaml.tmpl
=== RUN   TestWebhook/static_params_should_pass@test/hooks.yaml.tmpl
=== RUN   TestWebhook/command_with_space_logs_warning@test/hooks.yaml.tmpl
=== RUN   TestWebhook/unsupported_content_type_error@test/hooks.yaml.tmpl
--- PASS: TestWebhook (12.04s)
    --- PASS: TestWebhook/github@test/hooks.json.tmpl (0.20s)
    --- PASS: TestWebhook/github-multi-sig@test/hooks.json.tmpl (0.20s)
    --- PASS: TestWebhook/github-multi-sig-fail@test/hooks.json.tmpl (0.20s)
    --- PASS: TestWebhook/bitbucket@test/hooks.json.tmpl (0.20s)
    --- PASS: TestWebhook/gitlab@test/hooks.json.tmpl (0.20s)
    --- PASS: TestWebhook/xml@test/hooks.json.tmpl (0.20s)
    --- PASS: TestWebhook/txt-raw@test/hooks.json.tmpl (0.20s)
    --- PASS: TestWebhook/payload-json-array@test/hooks.json.tmpl (0.20s)
    --- PASS: TestWebhook/slash-in-hook-id@test/hooks.json.tmpl (0.20s)
    --- PASS: TestWebhook/multipart@test/hooks.json.tmpl (0.20s)
    --- PASS: TestWebhook/issue-471@test/hooks.json.tmpl (0.20s)
    --- PASS: TestWebhook/issue-471-and@test/hooks.json.tmpl (0.20s)
    --- PASS: TestWebhook/missing-cmd-arg@test/hooks.json.tmpl (0.20s)
    --- PASS: TestWebhook/missing-env-arg@test/hooks.json.tmpl (0.20s)
    --- PASS: TestWebhook/empty-payload-signature@test/hooks.json.tmpl (0.20s)
    --- PASS: TestWebhook/request-source@test/hooks.json.tmpl (0.20s)
    --- PASS: TestWebhook/global_disallowed_method@test/hooks.json.tmpl (0.20s)
    --- PASS: TestWebhook/disallowed_method@test/hooks.json.tmpl (0.20s)
    --- PASS: TestWebhook/empty_payload@test/hooks.json.tmpl (0.20s)
    --- PASS: TestWebhook/empty_payload@test/hooks.json.tmpl#01 (0.20s)
    --- PASS: TestWebhook/empty_payload@test/hooks.json.tmpl#02 (0.20s)
    --- PASS: TestWebhook/don't_capture_output_on_success_by_default@test/hooks.json.tmpl (0.20s)
    --- PASS: TestWebhook/capture_output_on_success_with_flag_set@test/hooks.json.tmpl (0.20s)
    --- PASS: TestWebhook/don't_capture_output_on_error_by_default@test/hooks.json.tmpl (0.20s)
    --- PASS: TestWebhook/capture_output_on_error_with_extra_flag_set@test/hooks.json.tmpl (0.20s)
    --- PASS: TestWebhook/static_params_should_pass@test/hooks.json.tmpl (0.20s)
    --- PASS: TestWebhook/command_with_space_logs_warning@test/hooks.json.tmpl (0.20s)
    --- PASS: TestWebhook/unsupported_content_type_error@test/hooks.json.tmpl (0.20s)
    --- PASS: TestWebhook/github@test/hooks.yaml.tmpl (0.20s)
    --- PASS: TestWebhook/github-multi-sig@test/hooks.yaml.tmpl (0.20s)
    --- PASS: TestWebhook/github-multi-sig-fail@test/hooks.yaml.tmpl (0.20s)
    --- PASS: TestWebhook/bitbucket@test/hooks.yaml.tmpl (0.20s)
    --- PASS: TestWebhook/gitlab@test/hooks.yaml.tmpl (0.20s)
    --- PASS: TestWebhook/xml@test/hooks.yaml.tmpl (0.20s)
    --- PASS: TestWebhook/txt-raw@test/hooks.yaml.tmpl (0.20s)
    --- PASS: TestWebhook/payload-json-array@test/hooks.yaml.tmpl (0.20s)
    --- PASS: TestWebhook/slash-in-hook-id@test/hooks.yaml.tmpl (0.20s)
    --- PASS: TestWebhook/multipart@test/hooks.yaml.tmpl (0.20s)
    --- PASS: TestWebhook/issue-471@test/hooks.yaml.tmpl (0.20s)
    --- PASS: TestWebhook/issue-471-and@test/hooks.yaml.tmpl (0.20s)
    --- PASS: TestWebhook/missing-cmd-arg@test/hooks.yaml.tmpl (0.20s)
    --- PASS: TestWebhook/missing-env-arg@test/hooks.yaml.tmpl (0.20s)
    --- PASS: TestWebhook/empty-payload-signature@test/hooks.yaml.tmpl (0.20s)
    --- PASS: TestWebhook/request-source@test/hooks.yaml.tmpl (0.20s)
    --- PASS: TestWebhook/global_disallowed_method@test/hooks.yaml.tmpl (0.20s)
    --- PASS: TestWebhook/disallowed_method@test/hooks.yaml.tmpl (0.20s)
    --- PASS: TestWebhook/empty_payload@test/hooks.yaml.tmpl (0.20s)
    --- PASS: TestWebhook/empty_payload@test/hooks.yaml.tmpl#01 (0.20s)
    --- PASS: TestWebhook/empty_payload@test/hooks.yaml.tmpl#02 (0.20s)
    --- PASS: TestWebhook/don't_capture_output_on_success_by_default@test/hooks.yaml.tmpl (0.20s)
    --- PASS: TestWebhook/capture_output_on_success_with_flag_set@test/hooks.yaml.tmpl (0.20s)
    --- PASS: TestWebhook/don't_capture_output_on_error_by_default@test/hooks.yaml.tmpl (0.20s)
    --- PASS: TestWebhook/capture_output_on_error_with_extra_flag_set@test/hooks.yaml.tmpl (0.21s)
    --- PASS: TestWebhook/static_params_should_pass@test/hooks.yaml.tmpl (0.20s)
    --- PASS: TestWebhook/command_with_space_logs_warning@test/hooks.yaml.tmpl (0.20s)
    --- PASS: TestWebhook/unsupported_content_type_error@test/hooks.yaml.tmpl (0.20s)
PASS
ok      github.com/adnanh/webhook       12.047s

@christopher-conley
Allow Linux setuid/setgid
f108a2b 
This commit allows webhook to setuid/setgid when running on Linux.

Tested with:

go get -d

CGO_ENABLED=0 go build -ldflags="-s -w"

Correctly compiled, ran, setuid/setgid properly, and answered hook requests.
@christopher-conley
Merge branch 'adnanh:master' into allow_linux_setuid_setgid
3da6122
@SaschaBrechmannVHV
Copy link

@adnanh : How about to merge this PR ? Would be nice to have some more Security if running webhook als Linux-Service

@adnanh
Copy link
Owner

adnanh commented Mar 25, 2024

@adnanh : How about to merge this PR ? Would be nice to have some more Security if running webhook als Linux-Service

I'll check it out as soon as possible

@christopher-conley christopher-conley mentioned this pull request Apr 11, 2024
Merged
@adnanh
Copy link
Owner

adnanh commented Apr 13, 2024
edited
Loading

Hey, thank you for the contribution!

I found a bug in our code while checking this out :)

@adnanh adnanh merged commit 85f244c into adnanh:master Apr 13, 2024
6 checks passed
@hhoffstaette hhoffstaette mentioned this pull request May 21, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@christopher-conley @SaschaBrechmannVHV @adnanh