[sandboxed-tor-browser/master] Mostly revert 7ad0525c601aa45414f56193760e3d08dd9cdae4 - tor-commits

9 Dec 2016

commit 031521f8aebc75fb29d1b02f16125ed4a3d77647
Author: Yawning Angel yawning@schwanenlied.me
Date:   Fri Dec 9 00:49:11 2016 +0000
Mostly revert 7ad0525c601aa45414f56193760e3d08dd9cdae4
I forgot why I didn't do this in the first place, till I remembered that
    all my systems I've been testing on recently have USER_NS in one form or
    another.
---
 data/group                                         |  1 -
 data/passwd                                        |  1 -
 .../internal/sandbox/hugbox.go                     | 22 ++++++++++------------
 3 files changed, 10 insertions(+), 14 deletions(-)

diff --git a/data/group b/data/group
deleted file mode 100644
index cbaebb5..0000000
--- a/data/group
+++ /dev/null
@@ -1 +0,0 @@
-amnesia:x:1000:
diff --git a/data/passwd b/data/passwd
deleted file mode 100644
index bed4f72..0000000
--- a/data/passwd
+++ /dev/null
@@ -1 +0,0 @@
-amnesia:x:1000:1000:Debian Live User,,,:/home/amnesia:/bin/bash
diff --git a/src/cmd/sandboxed-tor-browser/internal/sandbox/hugbox.go b/src/cmd/sandboxed-tor-browser/internal/sandbox/hugbox.go
index 98b2ec7..c52c879 100644
--- a/src/cmd/sandboxed-tor-browser/internal/sandbox/hugbox.go
+++ b/src/cmd/sandboxed-tor-browser/internal/sandbox/hugbox.go
@@ -35,7 +35,7 @@ import (
 )
type unshareOpts struct {
-	// user   bool
+	user   bool
    ipc    bool
    pid    bool
    net    bool
@@ -46,10 +46,9 @@ type unshareOpts struct {
 func (u *unshareOpts) toArgs() []string {
    var args []string
-	// A new user namespace is created unconditionally, so that gid/uids
-	// can be normalized.
-	args = append(args, "--unshare-user")
-
+	if u.user {
+		args = append(args, "--unshare-user")
+	}
    if u.ipc {
    	args = append(args, "--unshare-ipc")
    }
@@ -225,11 +224,10 @@ func (h *hugbox) run() (*exec.Cmd, error) {
    if h.chdir != "" {
    	fdArgs = append(fdArgs, "--chdir", h.chdir)
    }
-
-	fdArgs = append(fdArgs, "--uid", "1000")
-	fdArgs = append(fdArgs, "--gid", "1000")
-	h.assetFile("/etc/passwd", "passwd")
-	h.assetFile("/etc/group", "group")
+	passwdBody := fmt.Sprintf("amnesia:x:%d:%d:Debian Live User,,,:/home/amnesia:/bin/bash\n", os.Getuid(), os.Getgid())
+	groupBody := fmt.Sprintf("amnesia:x:%d:\n", os.Getgid())
+	h.file("/etc/passwd", []byte(passwdBody))
+	h.file("/etc/group", []byte(groupBody))
if h.fakeDbus {
    	h.setupDbus()
@@ -373,7 +371,7 @@ type bwrapInfo struct {
 func newHugbox() (*hugbox, error) {
    h := &hugbox{
    	unshare: unshareOpts{
-			// user:   true,
+			user:   false, // No point, not enough USER_NS support.
    		ipc:    true,
    		pid:    true,
    		net:    true,
@@ -382,7 +380,7 @@ func newHugbox() (*hugbox, error) {
    	},
    	hostname:     "amnesia",
    	mountProc:    true,
-		runtimeDir:   filepath.Join("/run", "user", "1000"),
+		runtimeDir:   filepath.Join("/run", "user", fmt.Sprintf("%d", os.Getuid())),
    	homeDir:      "/home/amnesia",
    	pdeathSig:    syscall.SIGTERM,
    	standardLibs: true,

    