From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Mon, 4 Mar 2024 21:17:33 +0000 (+0100)
Subject: Change user to invoking user for syncing
X-Git-Tag: v21~10^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=27277c9b0f2bb9a4323f89f2adadaf2539b2c3e1;p=thirdparty%2Fmkosi.git

Change user to invoking user for syncing

We want to make sure all repository metadata that we cache in the
user's cache directory is owned by the invoking user. Let's achieve
that by running the sync stuff in a fork and dropping privileges if
we're running as root.
---

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index 1ac192211..7ab0e1646 100644
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -3715,14 +3715,18 @@ def sync_repository_metadata(context: Context) -> None:
 
 
 def run_sync(args: Args, config: Config, *, resources: Path) -> None:
+    if os.getuid() == 0:
+        os.setgroups([INVOKING_USER.gid])
+        os.setgid(INVOKING_USER.gid)
+        os.setuid(INVOKING_USER.uid)
+
     if not (p := config.package_cache_dir_or_default()).exists():
-        INVOKING_USER.mkdir(p)
+        p.mkdir(parents=True, exist_ok=True)
 
     subdir = config.distribution.package_manager(config).subdir(config)
 
     for d in ("cache", "lib"):
-        src = config.package_cache_dir_or_default() / d / subdir
-        INVOKING_USER.mkdir(src)
+        (config.package_cache_dir_or_default() / d / subdir).mkdir(parents=True, exist_ok=True)
 
     with (
         complete_step(f"Syncing package manager metadata for {config.name()} image"),
@@ -3745,7 +3749,7 @@ def run_sync(args: Args, config: Config, *, resources: Path) -> None:
 
         src = config.package_cache_dir_or_default() / "cache" / subdir
         for p in config.distribution.package_manager(config).cache_subdirs(src):
-            INVOKING_USER.mkdir(p)
+            p.mkdir(parents=True, exist_ok=True)
 
         run_sync_scripts(context)
 
@@ -3871,13 +3875,13 @@ def run_verb(args: Args, images: Sequence[Config], *, resources: Path) -> None:
         )
 
         if tools and not (tools.output_dir_or_cwd() / tools.output_with_compression).exists():
-            run_sync(args, tools, resources=resources)
+            fork_and_wait(run_sync, args, tools, resources=resources)
             fork_and_wait(run_build, args, tools, resources=resources)
 
         if (config.output_dir_or_cwd() / config.output_with_compression).exists():
             continue
 
-        run_sync(args, config, resources=resources)
+        fork_and_wait(run_sync, args, config, resources=resources)
         fork_and_wait(run_build, args, config, resources=resources)
 
         build = True