Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Check for unnecessary privilege escalation (#1743)
Resolves tiny-pilot/tinypilot-pro#1214 <s>Blocked by https://github.com/tiny-pilot/tinypilot/pull/1744</s> <s>Blocked by https://github.com/tiny-pilot/tinypilot/pull/1745</s> This PR adds a dev script that checks for possible cases of privilege escalation in tinypilot-writable scripts (i.e., `scripts/`). The script only does a superficial check that root privileges were at least considered by matching on: > This script doesn't require root privileges. Example output of `dev-scripts/check-privilege-guard`: ``` $ ./dev-scripts/check-privilege-guard These files are missing a guard against privilege escalation: scripts/is-ssh-enabled scripts/streaming-mode scripts/update-service scripts/upgrade Please add the following check (or similar) to the above scripts: if [[ "${EUID}" == 0 ]]; then >&2 echo "This script doesn't require root privileges." >&2 echo 'Please re-run as tinypilot:' >&2 echo " runuser tinypilot --command '$0 $*'" exit 1 fi ``` Notes 1. <s>These tinypilot-writable scripts legitimately require root privileges: * `scripts/install-bundle` * `script/upgrade` So they do risk being used for privilege escalation, but they are/should never be executed by privileged scripts on the device. I've also added a superficial check for this too.</s> 2. This PR also fixes the privilege escalation issues that `dev-scripts/check-privilege-guard` as picked up. As a reminder, the fix is a runtime error asking for reduced permissions which is something we'll only encounter when we physically test the device. So as a result, this PR also tries to avoid those runtime errors by running these identified scripts as `tinypilot` where needed: ``` runuser tinypilot --command '/opt/tinypilot/scripts/some-script' ``` <a data-ca-tag href="https://codeapprove.com/pr/tiny-pilot/tinypilot/1743"><img src="https://codeapprove.com/external/github-tag-allbg.png" alt="Review on CodeApprove" /></a>
- Loading branch information