Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix command exec's WithUid (RunAsUser) when running as self #1682

Merged
merged 1 commit into from
Apr 19, 2024
Merged

Fix command exec's WithUid (RunAsUser) when running as self #1682

merged 1 commit into from
Apr 19, 2024

Conversation

Micah-Kolide
Copy link
Contributor

I've been trying to test my new check that uses the kolide_brew_upgradeable table, when I kept hitting an issue in Live Query where all devices returned no results. I could easily get results locally, so I wasn't sure what was going on.

After more testing locally, I saw the error fork/exec /opt/homebrew/bin/brew: operation not permitted, and after some digging online I came to this post.

Basically the syscall SYS_SETGROUPS requires elevated permissions, so a non-root user attempting to set the groups causes an EPERM error. There is a fix inside the Credential structure: NoSetGroups, but I figured since we are already running as the user, we can just early exit instead of adding that flag.

Outside of this issue, I had thought that the queries in Live Query go through a sudoed instance of launcher, but perhaps I was mistaken on that?

@directionless
Copy link
Contributor

Outside of this issue, I had thought that the queries in Live Query go through a sudoed instance of launcher, but perhaps I was mistaken on that?

Sorta, yes. Outside development, launcher runs with root permission. But dev instances are usually running with user credentials.

directionless
directionless approved these changes Apr 19, 2024
View reviewed changes
Copy link
Contributor

@directionless directionless left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is reasonable. We've done similar elsewhere.

@directionless directionless added this pull request to the merge queue Apr 19, 2024
Merged via the queue into main with commit 227fef9 Apr 19, 2024
32 checks passed
@directionless directionless deleted the micah/fix_running_user_as_self branch April 19, 2024 13:57
@Micah-Kolide
Copy link
Contributor Author

Outside of this issue, I had thought that the queries in Live Query go through a sudoed instance of launcher, but perhaps I was mistaken on that?

Sorta, yes. Outside development, launcher runs with root permission. But dev instances are usually running with user credentials.

I saw this issue in both my dev env and when I tried a real Live Query in prod.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@directionless directionless directionless approved these changes

@zackattack01 zackattack01 zackattack01 approved these changes

@RebeccaMahany RebeccaMahany Awaiting requested review from RebeccaMahany

@James-Pickett James-Pickett Awaiting requested review from James-Pickett

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Micah-Kolide @directionless @zackattack01