From e6e89288f8d6fe79d7e982ded9c1347221021e2e Mon Sep 17 00:00:00 2001
From: Tom Clegg <tom@tomclegg.ca>
Date: Mon, 16 Mar 2020 16:20:51 -0400
Subject: [PATCH] 16053: Use setuidgid instead of sudo to drop privileges.

Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom@tomclegg.ca>
---
 lib/boot/postgresql.go | 13 +++++++++----
 lib/boot/supervisor.go |  2 +-
 lib/install/deps.go    |  1 +
 3 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/lib/boot/postgresql.go b/lib/boot/postgresql.go
index a08180e0c3..df90f36af7 100644
--- a/lib/boot/postgresql.go
+++ b/lib/boot/postgresql.go
@@ -81,8 +81,13 @@ func (runPostgreSQL) Run(ctx context.Context, fail func(error), super *Superviso
 		if err != nil {
 			return err
 		}
-		args = append([]string{"-u", "postgres", prog}, args...)
-		prog = "sudo"
+		// We can't use "sudo -u" here because it creates an
+		// intermediate process that interferes with our
+		// ability to reliably kill postgres. The setuidgid
+		// program just calls exec without forking, so it
+		// doesn't have this problem.
+		args = append([]string{"postgres", prog}, args...)
+		prog = "setuidgid"
 	}
 	err = super.RunProgram(ctx, super.tempdir, nil, nil, prog, args...)
 	if err != nil {
@@ -112,8 +117,8 @@ func (runPostgreSQL) Run(ctx context.Context, fail func(error), super *Superviso
 			"-p", super.cluster.PostgreSQL.Connection["port"],
 		}
 		if iamroot {
-			args = append([]string{"-u", "postgres", prog}, args...)
-			prog = "sudo"
+			args = append([]string{"postgres", prog}, args...)
+			prog = "setuidgid"
 		}
 		fail(super.RunProgram(ctx, super.tempdir, nil, nil, prog, args...))
 	}()
diff --git a/lib/boot/supervisor.go b/lib/boot/supervisor.go
index e75de32449..8ef7e6ac1f 100644
--- a/lib/boot/supervisor.go
+++ b/lib/boot/supervisor.go
@@ -411,7 +411,7 @@ func (super *Supervisor) RunProgram(ctx context.Context, dir string, output io.W
 	super.logger.WithField("command", cmdline).WithField("dir", dir).Info("executing")
 
 	logprefix := prog
-	if logprefix == "sudo" && len(args) >= 3 && args[0] == "-u" {
+	if logprefix == "setuidgid" && len(args) >= 3 {
 		logprefix = args[2]
 	}
 	logprefix = strings.TrimPrefix(logprefix, super.tempdir+"/bin/")
diff --git a/lib/install/deps.go b/lib/install/deps.go
index 50eab6aefb..6f2a2756ae 100644
--- a/lib/install/deps.go
+++ b/lib/install/deps.go
@@ -93,6 +93,7 @@ func (installCommand) RunCommand(prog string, args []string, stdin io.Reader, st
 			"cadaver",
 			"curl",
 			"cython",
+			"daemontools", // lib/boot uses setuidgid to drop privileges when running as root
 			"fuse",
 			"gettext",
 			"git",
-- 
2.30.2