-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
buildkitd: allow --group for windows #4875
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -5,7 +5,9 @@ package main | |
|
||
import ( | ||
"crypto/tls" | ||
"fmt" | ||
"net" | ||
"strings" | ||
|
||
"github.com/Microsoft/go-winio" | ||
_ "github.com/moby/buildkit/solver/llbsolver/ops" | ||
|
@@ -19,14 +21,18 @@ func listenFD(_ string, _ *tls.Config) (net.Listener, error) { | |
return nil, errors.New("listening server on fd not supported on windows") | ||
} | ||
|
||
func getLocalListener(listenerPath string) (net.Listener, error) { | ||
pc := &winio.PipeConfig{ | ||
func getLocalListener(listenerPath, secDescriptor string) (net.Listener, error) { | ||
if secDescriptor == "" { | ||
// Allow generic read and generic write access to authenticated users | ||
// and system users. On Linux, this pipe seems to be given rw access to | ||
// user, group and others (666). | ||
// TODO(gabriel-samfira): should we restrict access to this pipe to just | ||
// authenticated users? Or Administrators group? | ||
SecurityDescriptor: "D:P(A;;GRGW;;;AU)(A;;GRGW;;;SY)", | ||
secDescriptor = "D:P(A;;GRGW;;;AU)(A;;GRGW;;;SY)" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The default can have just the system user allowed, and we can remove So this can be replaced with: secDescriptor = "D:P(A;;GRGW;;;SY)" Or better yet, the SDDL you have in There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This will only be used in Happy to change that but I don't really understand why this default is different than the one in There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The bit:
means allow generic read and write for But if the trace controller is not always started, I guess it's fine to leave it as it is. |
||
} | ||
|
||
pc := &winio.PipeConfig{ | ||
SecurityDescriptor: secDescriptor, | ||
} | ||
|
||
listener, err := winio.ListenPipe(listenerPath, pc) | ||
|
@@ -35,3 +41,17 @@ func getLocalListener(listenerPath string) (net.Listener, error) { | |
} | ||
return listener, nil | ||
} | ||
|
||
func groupToSecurityDescriptor(group string) (string, error) { | ||
sddl := "D:P(A;;GA;;;BA)(A;;GA;;;SY)" | ||
if group != "" { | ||
for _, g := range strings.Split(group, ",") { | ||
sid, err := winio.LookupSidByName(g) | ||
if err != nil { | ||
return "", errors.Wrapf(err, "failed to lookup sid for group %s", g) | ||
} | ||
sddl += fmt.Sprintf("(A;;GRGW;;;%s)", sid) | ||
} | ||
} | ||
return sddl, nil | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This will be an interesting config option for users to set 😄, but it's in line with the type of value linux users need to set, and it is correct compared to using group names here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we will mostly expect users to use
--group
flag.