Skip to content
This repository has been archived by the owner on May 7, 2021. It is now read-only.

Commit

Permalink
Revert "cork: pass through gpg sockets"
Browse files Browse the repository at this point in the history
This reverts commit 02e1f8c.

This should revert it to the state before all the gpg bind mount related
changes.
  • Loading branch information
Andrew Jeddeloh committed Feb 13, 2018
1 parent 9609ada commit e2cd91c
Showing 1 changed file with 23 additions and 27 deletions.
50 changes: 23 additions & 27 deletions sdk/enter.go
Original file line number Diff line number Diff line change
Expand Up @@ -153,65 +153,61 @@ func (e *enter) MountAPI() error {
return nil
}

// MountAgent bind mounts a SSH agent socket into the chroot
func (e *enter) mountSSHAgent() error {
origPath := os.Getenv("SSH_AUTH_SOCK")
// MountAgent bind mounts a SSH or GnuPG agent socket into the chroot
func (e *enter) MountAgent(env string) error {
origPath := os.Getenv(env)
if origPath == "" {
return nil
}

origDir := filepath.Dir(origPath)
origDir, origFile := filepath.Split(origPath)
if _, err := os.Stat(origDir); err != nil {
// Just skip if the agent has gone missing.
return nil
}

newDir := filepath.Join(e.Chroot, origDir)
if err := os.Mkdir(newDir, 0700); err != nil && !os.IsExist(err) {
newDir, err := ioutil.TempDir(e.UserRunDir, "agent-")
if err != nil {
return err
}

return system.Bind(origDir, newDir)
if err := system.Bind(origDir, newDir); err != nil {
return err
}

newPath := filepath.Join(newDir, origFile)
chrootPath := strings.TrimPrefix(newPath, e.Chroot)
return os.Setenv(env, chrootPath)
}

// MountGnupg bind mounts $GNUPGHOME or ~/.gnupg and the agent socket
// if available. The agent is ignored if the home dir isn't available.
func (e *enter) mountGnupg() error {
func (e *enter) MountGnupg() error {
origHome := os.Getenv("GNUPGHOME")
if origHome == "" {
origHome = filepath.Join(e.User.HomeDir, ".gnupg")
}

if _, err := os.Stat(origHome); err != nil {
// Skip but do not bind mount anything
return nil
// Skip but do not pass along $GNUPGHOME
return os.Unsetenv("GNUPGHOME")
}

// gpg misbehaves in the sdk with GNUPGHOME set to anything but ~/.gnupg
// so always unset it so the default ~/.gnupg is used.
if err := os.Unsetenv("GNUPGHOME"); err != nil {
newHome, err := ioutil.TempDir(e.UserRunDir, "gnupg-")
if err != nil {
return err
}

// now mount the agent socket directory through
newHome := filepath.Join(e.Chroot, e.User.HomeDir, ".gnupg")
if err := system.Bind(origHome, newHome); err != nil {
return err
}

// gpg expects the socket at /run/user/$uid/gnupg
origAgentDir := filepath.Join("/run", "user", e.User.Uid, "gnupg")
if _, err := os.Stat(origAgentDir); err != nil {
// Skip but do not bind mount anything
return nil
}

newAgentDir := filepath.Join(e.UserRunDir, "gnupg")
if err := os.Mkdir(newAgentDir, 0700); err != nil && !os.IsExist(err) {
chrootHome := strings.TrimPrefix(newHome, e.Chroot)
if err := os.Setenv("GNUPGHOME", chrootHome); err != nil {
return err
}

return system.Bind(origAgentDir, newAgentDir)
return e.MountAgent("GPG_AGENT_INFO")
}

// CopyGoogleCreds copies a Google credentials JSON file if one exists.
Expand Down Expand Up @@ -369,11 +365,11 @@ func enterChrootHelper(args []string) (err error) {
return err
}

if err := e.mountSSHAgent(); err != nil {
if err := e.MountAgent("SSH_AUTH_SOCK"); err != nil {
return err
}

if err := e.mountGnupg(); err != nil {
if err := e.MountGnupg(); err != nil {
return err
}

Expand Down

0 comments on commit e2cd91c

Please sign in to comment.