From d7b1e38cb77e7e5596a2241afeb4efe3cb4eabd3 Mon Sep 17 00:00:00 2001 From: Michael Hobbs Date: Tue, 22 Dec 2015 11:10:49 -0800 Subject: [PATCH] ensure we run plugin commands as root. closes #1768 --- Makefile | 4 ++-- bootstrap.sh | 4 ++-- dokku | 6 +++++- tests/unit/40_plugin.bats | 27 +++++++++++++++++++++++++++ 4 files changed, 36 insertions(+), 5 deletions(-) diff --git a/Makefile b/Makefile index 724ab66a7be..9afa5027dd8 100644 --- a/Makefile +++ b/Makefile @@ -72,10 +72,10 @@ version: git describe --tags > ~dokku/VERSION 2> /dev/null || echo '~${DOKKU_VERSION} ($(shell date -uIminutes))' > ~dokku/VERSION plugin-dependencies: plugn - dokku plugin:install-dependencies --core + sudo -E dokku plugin:install-dependencies --core plugins: plugn docker - dokku plugin:install --core + sudo -E dokku plugin:install --core dependencies: apt-update sshcommand plugn docker help2man man-db $(MAKE) -e stack diff --git a/bootstrap.sh b/bootstrap.sh index 1ac0a260b4f..5b9c6ec3a32 100755 --- a/bootstrap.sh +++ b/bootstrap.sh @@ -90,14 +90,14 @@ elif [[ -n $DOKKU_TAG ]]; then elif [[ "$major" -eq "0" ]] && [[ "$minor" -ge "4" ]] && [[ "$patch" -ge "0" ]]; then export DOKKU_CHECKOUT="$DOKKU_SEMVER" dokku_install_package - dokku plugin:install-dependencies --core + sudo -E dokku plugin:install-dependencies --core else export DOKKU_CHECKOUT="$DOKKU_TAG" dokku_install_source fi else dokku_install_package - dokku plugin:install-dependencies --core + sudo -E dokku plugin:install-dependencies --core fi } diff --git a/dokku b/dokku index c656072f11e..ada80a2e54e 100755 --- a/dokku +++ b/dokku @@ -49,12 +49,16 @@ if [[ "${args[0]}" =~ ^--.* ]]; then fi ! has_tty && DOKKU_QUIET_OUTPUT=1 -if [[ $(id -un) != "dokku" && $1 != plugin:*install* && $1 != "plugin:update" ]]; then +if [[ $(id -un) != "dokku" ]] && [[ ! $1 =~ plugin:* ]]; then export SSH_USER=$(id -un) sudo -u dokku -E -H $0 "$@" exit $? fi +if [[ $(id -un) != "root" && $1 =~ plugin:.* ]]; then + dokku_log_fail "plugin:* commands must be run as root" +fi + if [[ -n "$SSH_ORIGINAL_COMMAND" ]]; then export -n SSH_ORIGINAL_COMMAND if [[ $1 =~ config-* ]] || [[ $1 =~ docker-options* ]]; then diff --git a/tests/unit/40_plugin.bats b/tests/unit/40_plugin.bats index dfa0a849d0b..68da9f2c132 100644 --- a/tests/unit/40_plugin.bats +++ b/tests/unit/40_plugin.bats @@ -23,6 +23,11 @@ teardown() { echo "status: "$status assert_success + run bash -c "sudo -E -u nobody dokku plugin:uninstall $TEST_PLUGIN_NAME" + echo "output: "$output + echo "status: "$status + assert_failure + run bash -c "dokku plugin:disable $TEST_PLUGIN_NAME" echo "output: "$output echo "status: "$status @@ -43,3 +48,25 @@ teardown() { echo "status: "$status assert_failure } + +@test "(plugin) plugin:install, plugin:disable, plugin:uninstall as non-root user failure" { + run bash -c "sudo -E -u nobody dokku plugin:install $TEST_PLUGIN_GIT_REPO" + echo "output: "$output + echo "status: "$status + assert_failure + + run bash -c "dokku plugin:install $TEST_PLUGIN_GIT_REPO" + echo "output: "$output + echo "status: "$status + assert_success + + run bash -c "dokku plugin | grep enabled | grep $TEST_PLUGIN_NAME" + echo "output: "$output + echo "status: "$status + assert_success + + run bash -c "sudo -E -u nobody dokku plugin:disable $TEST_PLUGIN_NAME" + echo "output: "$output + echo "status: "$status + assert_failure +}