Add --add-user to write UID/GID to passwd

2020-01-03 16:16:15 -08:00 · 2020-01-03 16:16:15 -08:00 · 5154ace66d
parent fbdeead461
commit 5154ace66d
3 changed files with 41 additions and 0 deletions
--- a/Dockerfile.in
+++ b/Dockerfile.in
@ -22,7 +22,11 @@ RUN apt-get update \
        openssh-client \
    && rm -rf /var/lib/apt/lists/*

+# By default we will run as this user...
 RUN echo "git-sync:x:65533:65533::/tmp:/sbin/nologin" >> /etc/passwd
+# ...but the user might choose a different UID and pass --add-user
+# which needs to be able to write to /etc/passwd.
+RUN chmod 0666 /etc/passwd

 ADD bin/{ARG_OS}_{ARG_ARCH}/{ARG_BIN} /{ARG_BIN}

--- a/cmd/git-sync/main.go
+++ b/cmd/git-sync/main.go
@ -94,6 +94,8 @@ var flSSHKnownHosts = flag.Bool("ssh-known-hosts", envBool("GIT_KNOWN_HOSTS", tr
 	"enable SSH known_hosts verification")
 var flSSHKnownHostsFile = flag.String("ssh-known-hosts-file", envString("GIT_SSH_KNOWN_HOSTS_FILE", "/etc/git-secret/known_hosts"),
 	"the known_hosts file to use")
+var flAddUser = flag.Bool("add-user", envBool("GIT_SYNC_ADD_USER", false),
+	"add a record to /etc/passwd for the current UID/GID (needed to use SSH with a different UID)")

 var flCookieFile = flag.Bool("cookie-file", envBool("GIT_COOKIE_FILE", false),
 	"use git cookiefile")
@ -241,6 +243,13 @@ func main() {
 		os.Exit(1)
 	}

+	if *flAddUser {
+		if err := addUser(); err != nil {
+			fmt.Fprintf(os.Stderr, "ERROR: can't write to /etc/passwd: %v\n", err)
+			os.Exit(1)
+		}
+	}
+
 	// This context is used only for git credentials initialization. There are no long-running operations like
 	// `git clone`, so initTimeout set to 30 seconds should be enough.
 	ctx, cancel := context.WithTimeout(context.Background(), initTimeout)
@ -390,6 +399,29 @@ func sleepForever() {
 	os.Exit(0)
 }

+// Put the current UID/GID into /etc/passwd so SSH can look it up.  This
+// assumes that we have the permissions to write to it.
+func addUser() error {
+	home := os.Getenv("HOME")
+	if home == "" {
+		cwd, err := os.Getwd()
+		if err != nil {
+			return fmt.Errorf("can't get current working directory: %v", err)
+		}
+		home = cwd
+	}
+
+	f, err := os.OpenFile("/etc/passwd", os.O_APPEND|os.O_WRONLY, 0644)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+
+	str := fmt.Sprintf("git-sync:x:%d:%d::%s:/sbin/nologin\n", os.Getuid(), os.Getgid(), home)
+	_, err = f.WriteString(str)
+	return err
+}
+
 // updateSymlink atomically swaps the symlink to point at the specified
 // directory and cleans up the previous worktree.  If there was a previous
 // worktree, this returns the path to it.
--- a/docs/ssh.md
+++ b/docs/ssh.md
@ -103,6 +103,11 @@ that this is a Pod-wide setting, unlike the container `securityContext` above.
      # ...
 ```

+If you want git-sync to run as a different (non-root) UID and GID, you can
+change these last blocks to any UID/GID you like.  SSH demands that the current
+UID be present in /etc/passwd, so in this case you will need to add the
+`--add-user` flag to git-sync's args array.
+
 **Note:** Kubernetes mounts the Secret with permissions 0444 by default (not
 restrictive enough to be used as an SSH key), so make sure you set the
 `defaultMode`.