diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 00000000..e601c816 --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,33 @@ +name: CI + +on: + pull_request: + push: + schedule: + - cron: 0 0 * * 0 + workflow_dispatch: + +defaults: + run: + shell: 'bash -Eeuo pipefail -x {0}' + +jobs: + test: + name: Test + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - run: sudo apt-get update && sudo apt-get install -y --no-install-recommends binfmt-support qemu-user-static + - run: ./build.sh + - run: ./test.sh gosu-amd64 + - run: ./test.sh gosu-i386 + - run: ./test.sh --debian gosu-amd64 + - run: ./test.sh --debian gosu-i386 + - run: docker build --pull --file hub/Dockerfile.alpine hub + - run: docker build --pull --file hub/Dockerfile.debian hub + + - name: govulncheck + run: | + for gosu in gosu-*; do + ./govulncheck-with-excludes.sh -mode=binary "$gosu" + done diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 00000000..6b9311de --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,52 @@ +name: Release + +on: + pull_request: + paths: + - '.github/workflows/release.yml' + - 'govulncheck-with-excludes.sh' + push: + paths: + - '.github/workflows/release.yml' + - 'govulncheck-with-excludes.sh' + schedule: + - cron: 0 0 * * 0 + workflow_dispatch: + +defaults: + run: + shell: 'bash -Eeuo pipefail -x {0}' + +jobs: + test: + name: govulncheck + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: download + run: | + # find and download the latest release for testing + tags="$(git ls-remote --tags https://github.com/tianon/gosu.git | cut -d/ -f3 | cut -d^ -f1 | sort -urV)" + for tag in $tags; do + echo >&2 "checking $tag ..." + url="https://github.com/tianon/gosu/releases/download/$tag" + if wget -O SHA256SUMS "$url/SHA256SUMS" && [ -s SHA256SUMS ]; then + files="$(grep -oE '[ *]gosu-[^.]+$' SHA256SUMS | grep -oE 'gosu-.*$')" + for file in $files; do + wget -O "$file" "$url/$file" + done + if grep -E '[ *]gosu-[^.]+$' SHA256SUMS | sha256sum --strict --check -; then + echo >&2 "success with $tag !" + exit 0 + fi + fi + done + + echo >&2 'error: failed to find latest release' + + - name: govulncheck + run: | + for gosu in gosu-*; do + ./govulncheck-with-excludes.sh -mode=binary "$gosu" + done diff --git a/.travis.yml b/.travis.yml deleted file mode 100644 index d86052e3..00000000 --- a/.travis.yml +++ /dev/null @@ -1,9 +0,0 @@ -language: bash -services: - - docker -script: - - ./build.sh - - ./test.sh gosu-amd64 - - ./test.sh gosu-i386 - - ./test.sh --debian gosu-amd64 - - ./test.sh --debian gosu-i386 diff --git a/Dockerfile b/Dockerfile index 2430497e..07e10112 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,63 +1,74 @@ -FROM golang:1.14-alpine3.12 +FROM golang:1.24.6-trixie -RUN apk add --no-cache file - -# disable CGO for ALL THE THINGS (to help ensure no libc) -ENV CGO_ENABLED 0 - -WORKDIR /go/src/github.com/tianon/gosu - -COPY go.mod go.sum ./ RUN set -eux; \ - go mod download; \ - go mod verify - -ENV BUILD_FLAGS="-v -ldflags '-d -s -w'" - -COPY *.go ./ - -# gosu-$(dpkg --print-architecture) + apt-get install --update -y --no-install-recommends \ + arch-test \ + file \ + ; \ + apt-get dist-clean + +# https://github.com/tianon/fake-git +# https://github.com/tianon/fake-git/commits/HEAD +ENV FAKEGIT_COMMIT dc6774bbecc1f72de44d02bfd4385a4e6f45f807 RUN set -eux; \ - eval "GOARCH=amd64 go build $BUILD_FLAGS -o /go/bin/gosu-amd64"; \ - file /go/bin/gosu-amd64; \ - /go/bin/gosu-amd64 --version; \ - /go/bin/gosu-amd64 nobody id; \ - /go/bin/gosu-amd64 nobody ls -l /proc/self/fd + git init /opt/fake-git; \ + git -C /opt/fake-git fetch --depth 1 https://github.com/tianon/fake-git.git "$FAKEGIT_COMMIT:"; \ + git -C /opt/fake-git checkout FETCH_HEAD; \ + ln -svfT /opt/fake-git/fake-git.sh /usr/local/bin/git; \ + hash -r; \ + FAKEGIT_GO_SEMVER='v1.2.3' git --fake -RUN set -eux; \ - eval "GOARCH=386 go build $BUILD_FLAGS -o /go/bin/gosu-i386"; \ - file /go/bin/gosu-i386; \ - /go/bin/gosu-i386 --version; \ - /go/bin/gosu-i386 nobody id; \ - /go/bin/gosu-i386 nobody ls -l /proc/self/fd +# note: we cannot add "-s" here because then "govulncheck" does not work (see SECURITY.md); the ~0.2MiB increase (as of 2022-12-16, Go 1.18) is worth it +ENV BUILD_FLAGS="-v -trimpath -ldflags '-d -w' -buildvcs=true" -RUN set -eux; \ - eval "GOARCH=arm GOARM=5 go build $BUILD_FLAGS -o /go/bin/gosu-armel"; \ - file /go/bin/gosu-armel +# disable CGO for ALL THE THINGS (to help ensure no libc) +ENV CGO_ENABLED 0 RUN set -eux; \ - eval "GOARCH=arm GOARM=6 go build $BUILD_FLAGS -o /go/bin/gosu-armhf"; \ - file /go/bin/gosu-armhf + { \ + echo '#!/usr/bin/env bash'; \ + echo 'set -Eeuo pipefail -x'; \ +# this scrapes our raw version number out of "version.go" (which we then use as our "commit ref" so it's "vcs.revision" in our metadata, and "cross-grade" to semver below for our fake tag so Go thinks we have a version number worth including) + echo 'FAKEGIT_GO_REVISION="$(grep -oEm1 "[0-9][0-9.+a-z-]+" version.go)"'; \ +# validate our assumptions about the above version number + echo 'grep <<<"$FAKEGIT_GO_REVISION" -E "^[0-9]+[.][0-9]+\$"'; \ +# Go *requires* semver, which is silly, but outside our control, so this takes our version numbers like "1.2" and "cross-grades" them to be like "v1.2.0", per (Go's implementation of) semver (and the VCS implementation is even stricter and requires the full triplet) + echo 'FAKEGIT_GO_SEMVER="v${FAKEGIT_GO_REVISION}.0"'; \ + echo 'export FAKEGIT_GO_REVISION FAKEGIT_GO_SEMVER'; \ + echo 'eval "go build $BUILD_FLAGS -o /go/bin/gosu-$ARCH" github.com/tianon/gosu'; \ + echo 'if go version -m "/go/bin/gosu-$ARCH" |& tee "/proc/$$/fd/1" | grep "(devel)" >&2; then exit 1; fi'; \ + echo 'file "/go/bin/gosu-$ARCH"'; \ + echo 'if arch-test "$ARCH"; then'; \ +# there's a fun QEMU + Go 1.18+ bug that causes our binaries (especially on ARM arches) to hang indefinitely *sometimes*, hence the "timeout" and looping here + echo ' try() { for (( i = 0; i < 30; i++ )); do if timeout 1s "$@"; then return 0; fi; done; return 1; }'; \ + echo ' try "/go/bin/gosu-$ARCH" --version'; \ + echo ' try "/go/bin/gosu-$ARCH" nobody id'; \ + echo ' try "/go/bin/gosu-$ARCH" nobody ls -l /proc/self/fd'; \ + echo 'fi'; \ + } > /usr/local/bin/gosu-build-and-test.sh; \ + chmod +x /usr/local/bin/gosu-build-and-test.sh -# boo Raspberry Pi, making life hard (armhf-is-v7 vs armhf-is-v6 ...) -#RUN set -eux; \ -# eval "GOARCH=arm GOARM=7 go build $BUILD_FLAGS -o /go/bin/gosu-armhf"; \ -# file /go/bin/gosu-armhf - -RUN set -eux; \ - eval "GOARCH=arm64 go build $BUILD_FLAGS -o /go/bin/gosu-arm64"; \ - file /go/bin/gosu-arm64 +WORKDIR /go/src/github.com/tianon/gosu -RUN set -eux; \ - eval "GOARCH=mips64le go build $BUILD_FLAGS -o /go/bin/gosu-mips64el"; \ - file /go/bin/gosu-mips64el +# satisfy Go's need for ".git" to invoke "git" (or in our case, "fake-git.sh") +RUN mkdir .git # ("touch .git" should be enough here, but Go insists it be a directory even though Git worktrees are a thing and have ".git" as a file) -RUN set -eux; \ - eval "GOARCH=ppc64le go build $BUILD_FLAGS -o /go/bin/gosu-ppc64el"; \ - file /go/bin/gosu-ppc64el +COPY go.mod go.sum ./ +RUN go mod download -RUN set -eux; \ - eval "GOARCH=s390x go build $BUILD_FLAGS -o /go/bin/gosu-s390x"; \ - file /go/bin/gosu-s390x +COPY *.go ./ -RUN set -eux; ls -lAFh /go/bin/gosu-*; file /go/bin/gosu-* +# gosu-$(dpkg --print-architecture) +RUN ARCH=amd64 GOARCH=amd64 gosu-build-and-test.sh +RUN ARCH=i386 GOARCH=386 gosu-build-and-test.sh +RUN ARCH=armel GOARCH=arm GOARM=5 gosu-build-and-test.sh +RUN ARCH=armhf GOARCH=arm GOARM=6 gosu-build-and-test.sh +#RUN ARCH=armhf GOARCH=arm GOARM=7 gosu-build-and-test.sh # boo Raspberry Pi, making life hard (armhf-is-v7 vs armhf-is-v6 ...) +RUN ARCH=arm64 GOARCH=arm64 gosu-build-and-test.sh +RUN ARCH=mips64el GOARCH=mips64le gosu-build-and-test.sh +RUN ARCH=ppc64el GOARCH=ppc64le gosu-build-and-test.sh +RUN ARCH=riscv64 GOARCH=riscv64 gosu-build-and-test.sh +RUN ARCH=s390x GOARCH=s390x gosu-build-and-test.sh +RUN ARCH=loong64 GOARCH=loong64 gosu-build-and-test.sh + +RUN set -eux; go version -m /go/bin/gosu-*; ls -lAFh /go/bin/gosu-*; file /go/bin/gosu-* diff --git a/Dockerfile.test-alpine b/Dockerfile.test-alpine index 9fb4e64d..b2d517ab 100644 --- a/Dockerfile.test-alpine +++ b/Dockerfile.test-alpine @@ -1,7 +1,7 @@ -FROM alpine:3.12 +FROM alpine:3.22 # add "nobody" to ALL groups (makes testing edge cases more interesting) -RUN cut -d: -f1 /etc/group | xargs -n1 addgroup nobody +RUN cut -d: -f1 /etc/group | xargs -rtn1 addgroup nobody RUN { \ echo '#!/bin/sh'; \ @@ -25,6 +25,7 @@ COPY gosu /usr/local/bin/ # adjust users so we can make sure the tests are interesting RUN chgrp nobody /usr/local/bin/gosu \ && chmod +s /usr/local/bin/gosu +ENV GOSU_PLEASE_LET_ME_BE_COMPLETELY_INSECURE_I_GET_TO_KEEP_ALL_THE_PIECES="I've seen things you people wouldn't believe. Attack ships on fire off the shoulder of Orion. I watched C-beams glitter in the dark near the Tannhäuser Gate. All those moments will be lost in time, like tears in rain. Time to die." USER nobody ENV HOME /omg/really/gosu/nowhere # now we should be nobody, ALL groups, and have a bogus useless HOME value diff --git a/Dockerfile.test-debian b/Dockerfile.test-debian index 5ffaeae9..4efde06e 100644 --- a/Dockerfile.test-debian +++ b/Dockerfile.test-debian @@ -1,7 +1,7 @@ -FROM debian:buster-slim +FROM debian:bookworm-slim # add "nobody" to ALL groups (makes testing edge cases more interesting) -RUN cut -d: -f1 /etc/group | xargs -n1 -I'{}' usermod -aG '{}' nobody +RUN cut -d: -f1 /etc/group | xargs -rtI'{}' usermod -aG '{}' nobody # emulate Alpine's "games" user (which is part of the "users" group) RUN usermod -aG users games @@ -27,6 +27,7 @@ COPY gosu /usr/local/bin/ # adjust users so we can make sure the tests are interesting RUN chgrp nogroup /usr/local/bin/gosu \ && chmod +s /usr/local/bin/gosu +ENV GOSU_PLEASE_LET_ME_BE_COMPLETELY_INSECURE_I_GET_TO_KEEP_ALL_THE_PIECES="I've seen things you people wouldn't believe. Attack ships on fire off the shoulder of Orion. I watched C-beams glitter in the dark near the Tannhäuser Gate. All those moments will be lost in time, like tears in rain. Time to die." USER nobody ENV HOME /omg/really/gosu/nowhere # now we should be nobody, ALL groups, and have a bogus useless HOME value diff --git a/INSTALL.md b/INSTALL.md index bd9d83cb..0ddf8011 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -8,29 +8,20 @@ We assume installation inside Docker (probably not the right tool for most use-c ```dockerfile RUN set -eux; \ - apt-get update; \ - apt-get install -y gosu; \ - rm -rf /var/lib/apt/lists/*; \ + apt-get install --update -y gosu; \ + apt-get dist-clean; \ # verify that the binary works gosu nobody true ``` -Older Debian releases (or newer `gosu` releases): +Newer `gosu` releases: ```dockerfile -ENV GOSU_VERSION 1.12 +ENV GOSU_VERSION 1.19 RUN set -eux; \ # save list of currently installed packages for later so we can clean up savedAptMark="$(apt-mark showmanual)"; \ - apt-get update; \ - apt-get install -y --no-install-recommends ca-certificates wget; \ - if ! command -v gpg; then \ - apt-get install -y --no-install-recommends gnupg2 dirmngr; \ - elif gpg --version | grep -q '^gpg (GnuPG) 1\.'; then \ -# "This package provides support for HKPS keyservers." (GnuPG 1.x only) - apt-get install -y --no-install-recommends gnupg-curl; \ - fi; \ - rm -rf /var/lib/apt/lists/*; \ + apt-get install --update -y --no-install-recommends ca-certificates gnupg wget; \ \ dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \ wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \ @@ -40,13 +31,14 @@ RUN set -eux; \ export GNUPGHOME="$(mktemp -d)"; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \ gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ - command -v gpgconf && gpgconf --kill all || :; \ + gpgconf --kill all; \ rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ \ # clean up fetch dependencies apt-mark auto '.*' > /dev/null; \ [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ + apt-get dist-clean; \ \ chmod +x /usr/local/bin/gosu; \ # verify that the binary works @@ -54,12 +46,12 @@ RUN set -eux; \ gosu nobody true ``` -## `FROM alpine` (3.7+) +Note: on Debian versions older than Trixie, you'll need to swap `apt-get dist-clean` for `rm -rf /var/lib/apt/lists/*` and remove `--update` in favor of an explicit pre-call to `apt-get update`. -**Note:** when using Alpine, it's probably also worth checking out [`su-exec`](https://github.com/ncopa/su-exec) (`apk add --no-cache su-exec`) instead, which since version 0.2 is fully `gosu`-compatible in a fraction of the file size. +## `FROM alpine` (3.7+) ```dockerfile -ENV GOSU_VERSION 1.12 +ENV GOSU_VERSION 1.19 RUN set -eux; \ \ apk add --no-cache --virtual .gosu-deps \ @@ -76,7 +68,7 @@ RUN set -eux; \ export GNUPGHOME="$(mktemp -d)"; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \ gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ - command -v gpgconf && gpgconf --kill all || :; \ + gpgconf --kill all; \ rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ \ # clean up fetch dependencies @@ -87,3 +79,46 @@ RUN set -eux; \ gosu --version; \ gosu nobody true ``` + +## `FROM centos|oraclelinux|...|ubi|...` (RPM-based distro) + +```dockerfile +ENV GOSU_VERSION 1.19 +RUN set -eux; \ + \ + rpmArch="$(rpm --query --queryformat='%{ARCH}' rpm)"; \ + case "$rpmArch" in \ + aarch64) dpkgArch='arm64' ;; \ + armv[67]*) dpkgArch='armhf' ;; \ + i[3456]86) dpkgArch='i386' ;; \ + ppc64le) dpkgArch='ppc64el' ;; \ + riscv64 | s390x | loongarch64) dpkgArch="$rpmArch" ;; \ + x86_64) dpkgArch='amd64' ;; \ + *) echo >&2 "error: unknown/unsupported architecture '$rpmArch'"; exit 1 ;; \ + esac; \ + wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \ + wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \ + \ +# verify the signature + export GNUPGHOME="$(mktemp -d)"; \ + gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \ + gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ + gpgconf --kill all; \ + rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ + \ + chmod +x /usr/local/bin/gosu; \ +# verify that the binary works + gosu --version; \ + gosu nobody true +``` + +Notes: + +- `gosu`'s `armhf` builds are ARMv6 (not ARMv7 as they might be in Debian proper) thanks to Raspbian, hence the `armv6` allowance above +- `rpm` architecture values sourced from https://rpmfind.net/linux/rpm2html/search.php?query=rpm + +## Others / Lazy Method + +```dockerfile +COPY --from=tianon/gosu /gosu /usr/local/bin/ +``` diff --git a/LICENSE b/LICENSE index 94a9ed02..d6456956 100644 --- a/LICENSE +++ b/LICENSE @@ -1,674 +1,202 @@ - GNU GENERAL PUBLIC LICENSE - Version 3, 29 June 2007 - - Copyright (C) 2007 Free Software Foundation, Inc. - Everyone is permitted to copy and distribute verbatim copies - of this license document, but changing it is not allowed. - - Preamble - - The GNU General Public License is a free, copyleft license for -software and other kinds of works. - - The licenses for most software and other practical works are designed -to take away your freedom to share and change the works. By contrast, -the GNU General Public License is intended to guarantee your freedom to -share and change all versions of a program--to make sure it remains free -software for all its users. We, the Free Software Foundation, use the -GNU General Public License for most of our software; it applies also to -any other work released this way by its authors. You can apply it to -your programs, too. - - When we speak of free software, we are referring to freedom, not -price. Our General Public Licenses are designed to make sure that you -have the freedom to distribute copies of free software (and charge for -them if you wish), that you receive source code or can get it if you -want it, that you can change the software or use pieces of it in new -free programs, and that you know you can do these things. - - To protect your rights, we need to prevent others from denying you -these rights or asking you to surrender the rights. Therefore, you have -certain responsibilities if you distribute copies of the software, or if -you modify it: responsibilities to respect the freedom of others. - - For example, if you distribute copies of such a program, whether -gratis or for a fee, you must pass on to the recipients the same -freedoms that you received. You must make sure that they, too, receive -or can get the source code. And you must show them these terms so they -know their rights. - - Developers that use the GNU GPL protect your rights with two steps: -(1) assert copyright on the software, and (2) offer you this License -giving you legal permission to copy, distribute and/or modify it. - - For the developers' and authors' protection, the GPL clearly explains -that there is no warranty for this free software. For both users' and -authors' sake, the GPL requires that modified versions be marked as -changed, so that their problems will not be attributed erroneously to -authors of previous versions. - - Some devices are designed to deny users access to install or run -modified versions of the software inside them, although the manufacturer -can do so. This is fundamentally incompatible with the aim of -protecting users' freedom to change the software. The systematic -pattern of such abuse occurs in the area of products for individuals to -use, which is precisely where it is most unacceptable. Therefore, we -have designed this version of the GPL to prohibit the practice for those -products. If such problems arise substantially in other domains, we -stand ready to extend this provision to those domains in future versions -of the GPL, as needed to protect the freedom of users. - - Finally, every program is threatened constantly by software patents. -States should not allow patents to restrict development and use of -software on general-purpose computers, but in those that do, we wish to -avoid the special danger that patents applied to a free program could -make it effectively proprietary. To prevent this, the GPL assures that -patents cannot be used to render the program non-free. - - The precise terms and conditions for copying, distribution and -modification follow. - - TERMS AND CONDITIONS - - 0. Definitions. - - "This License" refers to version 3 of the GNU General Public License. - - "Copyright" also means copyright-like laws that apply to other kinds of -works, such as semiconductor masks. - - "The Program" refers to any copyrightable work licensed under this -License. Each licensee is addressed as "you". "Licensees" and -"recipients" may be individuals or organizations. - - To "modify" a work means to copy from or adapt all or part of the work -in a fashion requiring copyright permission, other than the making of an -exact copy. The resulting work is called a "modified version" of the -earlier work or a work "based on" the earlier work. - - A "covered work" means either the unmodified Program or a work based -on the Program. - - To "propagate" a work means to do anything with it that, without -permission, would make you directly or secondarily liable for -infringement under applicable copyright law, except executing it on a -computer or modifying a private copy. Propagation includes copying, -distribution (with or without modification), making available to the -public, and in some countries other activities as well. - - To "convey" a work means any kind of propagation that enables other -parties to make or receive copies. Mere interaction with a user through -a computer network, with no transfer of a copy, is not conveying. - - An interactive user interface displays "Appropriate Legal Notices" -to the extent that it includes a convenient and prominently visible -feature that (1) displays an appropriate copyright notice, and (2) -tells the user that there is no warranty for the work (except to the -extent that warranties are provided), that licensees may convey the -work under this License, and how to view a copy of this License. If -the interface presents a list of user commands or options, such as a -menu, a prominent item in the list meets this criterion. - - 1. Source Code. - - The "source code" for a work means the preferred form of the work -for making modifications to it. "Object code" means any non-source -form of a work. - - A "Standard Interface" means an interface that either is an official -standard defined by a recognized standards body, or, in the case of -interfaces specified for a particular programming language, one that -is widely used among developers working in that language. - - The "System Libraries" of an executable work include anything, other -than the work as a whole, that (a) is included in the normal form of -packaging a Major Component, but which is not part of that Major -Component, and (b) serves only to enable use of the work with that -Major Component, or to implement a Standard Interface for which an -implementation is available to the public in source code form. A -"Major Component", in this context, means a major essential component -(kernel, window system, and so on) of the specific operating system -(if any) on which the executable work runs, or a compiler used to -produce the work, or an object code interpreter used to run it. - - The "Corresponding Source" for a work in object code form means all -the source code needed to generate, install, and (for an executable -work) run the object code and to modify the work, including scripts to -control those activities. However, it does not include the work's -System Libraries, or general-purpose tools or generally available free -programs which are used unmodified in performing those activities but -which are not part of the work. For example, Corresponding Source -includes interface definition files associated with source files for -the work, and the source code for shared libraries and dynamically -linked subprograms that the work is specifically designed to require, -such as by intimate data communication or control flow between those -subprograms and other parts of the work. - - The Corresponding Source need not include anything that users -can regenerate automatically from other parts of the Corresponding -Source. - - The Corresponding Source for a work in source code form is that -same work. - - 2. Basic Permissions. - - All rights granted under this License are granted for the term of -copyright on the Program, and are irrevocable provided the stated -conditions are met. This License explicitly affirms your unlimited -permission to run the unmodified Program. The output from running a -covered work is covered by this License only if the output, given its -content, constitutes a covered work. This License acknowledges your -rights of fair use or other equivalent, as provided by copyright law. - - You may make, run and propagate covered works that you do not -convey, without conditions so long as your license otherwise remains -in force. You may convey covered works to others for the sole purpose -of having them make modifications exclusively for you, or provide you -with facilities for running those works, provided that you comply with -the terms of this License in conveying all material for which you do -not control copyright. Those thus making or running the covered works -for you must do so exclusively on your behalf, under your direction -and control, on terms that prohibit them from making any copies of -your copyrighted material outside their relationship with you. - - Conveying under any other circumstances is permitted solely under -the conditions stated below. Sublicensing is not allowed; section 10 -makes it unnecessary. - - 3. Protecting Users' Legal Rights From Anti-Circumvention Law. - - No covered work shall be deemed part of an effective technological -measure under any applicable law fulfilling obligations under article -11 of the WIPO copyright treaty adopted on 20 December 1996, or -similar laws prohibiting or restricting circumvention of such -measures. - - When you convey a covered work, you waive any legal power to forbid -circumvention of technological measures to the extent such circumvention -is effected by exercising rights under this License with respect to -the covered work, and you disclaim any intention to limit operation or -modification of the work as a means of enforcing, against the work's -users, your or third parties' legal rights to forbid circumvention of -technological measures. - - 4. Conveying Verbatim Copies. - - You may convey verbatim copies of the Program's source code as you -receive it, in any medium, provided that you conspicuously and -appropriately publish on each copy an appropriate copyright notice; -keep intact all notices stating that this License and any -non-permissive terms added in accord with section 7 apply to the code; -keep intact all notices of the absence of any warranty; and give all -recipients a copy of this License along with the Program. - - You may charge any price or no price for each copy that you convey, -and you may offer support or warranty protection for a fee. - - 5. Conveying Modified Source Versions. - - You may convey a work based on the Program, or the modifications to -produce it from the Program, in the form of source code under the -terms of section 4, provided that you also meet all of these conditions: - - a) The work must carry prominent notices stating that you modified - it, and giving a relevant date. - - b) The work must carry prominent notices stating that it is - released under this License and any conditions added under section - 7. This requirement modifies the requirement in section 4 to - "keep intact all notices". - - c) You must license the entire work, as a whole, under this - License to anyone who comes into possession of a copy. This - License will therefore apply, along with any applicable section 7 - additional terms, to the whole of the work, and all its parts, - regardless of how they are packaged. This License gives no - permission to license the work in any other way, but it does not - invalidate such permission if you have separately received it. - - d) If the work has interactive user interfaces, each must display - Appropriate Legal Notices; however, if the Program has interactive - interfaces that do not display Appropriate Legal Notices, your - work need not make them do so. - - A compilation of a covered work with other separate and independent -works, which are not by their nature extensions of the covered work, -and which are not combined with it such as to form a larger program, -in or on a volume of a storage or distribution medium, is called an -"aggregate" if the compilation and its resulting copyright are not -used to limit the access or legal rights of the compilation's users -beyond what the individual works permit. Inclusion of a covered work -in an aggregate does not cause this License to apply to the other -parts of the aggregate. - - 6. Conveying Non-Source Forms. - - You may convey a covered work in object code form under the terms -of sections 4 and 5, provided that you also convey the -machine-readable Corresponding Source under the terms of this License, -in one of these ways: - - a) Convey the object code in, or embodied in, a physical product - (including a physical distribution medium), accompanied by the - Corresponding Source fixed on a durable physical medium - customarily used for software interchange. - - b) Convey the object code in, or embodied in, a physical product - (including a physical distribution medium), accompanied by a - written offer, valid for at least three years and valid for as - long as you offer spare parts or customer support for that product - model, to give anyone who possesses the object code either (1) a - copy of the Corresponding Source for all the software in the - product that is covered by this License, on a durable physical - medium customarily used for software interchange, for a price no - more than your reasonable cost of physically performing this - conveying of source, or (2) access to copy the - Corresponding Source from a network server at no charge. - - c) Convey individual copies of the object code with a copy of the - written offer to provide the Corresponding Source. This - alternative is allowed only occasionally and noncommercially, and - only if you received the object code with such an offer, in accord - with subsection 6b. - - d) Convey the object code by offering access from a designated - place (gratis or for a charge), and offer equivalent access to the - Corresponding Source in the same way through the same place at no - further charge. You need not require recipients to copy the - Corresponding Source along with the object code. If the place to - copy the object code is a network server, the Corresponding Source - may be on a different server (operated by you or a third party) - that supports equivalent copying facilities, provided you maintain - clear directions next to the object code saying where to find the - Corresponding Source. Regardless of what server hosts the - Corresponding Source, you remain obligated to ensure that it is - available for as long as needed to satisfy these requirements. - - e) Convey the object code using peer-to-peer transmission, provided - you inform other peers where the object code and Corresponding - Source of the work are being offered to the general public at no - charge under subsection 6d. - - A separable portion of the object code, whose source code is excluded -from the Corresponding Source as a System Library, need not be -included in conveying the object code work. - - A "User Product" is either (1) a "consumer product", which means any -tangible personal property which is normally used for personal, family, -or household purposes, or (2) anything designed or sold for incorporation -into a dwelling. In determining whether a product is a consumer product, -doubtful cases shall be resolved in favor of coverage. For a particular -product received by a particular user, "normally used" refers to a -typical or common use of that class of product, regardless of the status -of the particular user or of the way in which the particular user -actually uses, or expects or is expected to use, the product. A product -is a consumer product regardless of whether the product has substantial -commercial, industrial or non-consumer uses, unless such uses represent -the only significant mode of use of the product. - - "Installation Information" for a User Product means any methods, -procedures, authorization keys, or other information required to install -and execute modified versions of a covered work in that User Product from -a modified version of its Corresponding Source. The information must -suffice to ensure that the continued functioning of the modified object -code is in no case prevented or interfered with solely because -modification has been made. - - If you convey an object code work under this section in, or with, or -specifically for use in, a User Product, and the conveying occurs as -part of a transaction in which the right of possession and use of the -User Product is transferred to the recipient in perpetuity or for a -fixed term (regardless of how the transaction is characterized), the -Corresponding Source conveyed under this section must be accompanied -by the Installation Information. But this requirement does not apply -if neither you nor any third party retains the ability to install -modified object code on the User Product (for example, the work has -been installed in ROM). - - The requirement to provide Installation Information does not include a -requirement to continue to provide support service, warranty, or updates -for a work that has been modified or installed by the recipient, or for -the User Product in which it has been modified or installed. Access to a -network may be denied when the modification itself materially and -adversely affects the operation of the network or violates the rules and -protocols for communication across the network. - - Corresponding Source conveyed, and Installation Information provided, -in accord with this section must be in a format that is publicly -documented (and with an implementation available to the public in -source code form), and must require no special password or key for -unpacking, reading or copying. - - 7. Additional Terms. - - "Additional permissions" are terms that supplement the terms of this -License by making exceptions from one or more of its conditions. -Additional permissions that are applicable to the entire Program shall -be treated as though they were included in this License, to the extent -that they are valid under applicable law. If additional permissions -apply only to part of the Program, that part may be used separately -under those permissions, but the entire Program remains governed by -this License without regard to the additional permissions. - - When you convey a copy of a covered work, you may at your option -remove any additional permissions from that copy, or from any part of -it. (Additional permissions may be written to require their own -removal in certain cases when you modify the work.) You may place -additional permissions on material, added by you to a covered work, -for which you have or can give appropriate copyright permission. - - Notwithstanding any other provision of this License, for material you -add to a covered work, you may (if authorized by the copyright holders of -that material) supplement the terms of this License with terms: - - a) Disclaiming warranty or limiting liability differently from the - terms of sections 15 and 16 of this License; or - - b) Requiring preservation of specified reasonable legal notices or - author attributions in that material or in the Appropriate Legal - Notices displayed by works containing it; or - - c) Prohibiting misrepresentation of the origin of that material, or - requiring that modified versions of such material be marked in - reasonable ways as different from the original version; or - - d) Limiting the use for publicity purposes of names of licensors or - authors of the material; or - - e) Declining to grant rights under trademark law for use of some - trade names, trademarks, or service marks; or - - f) Requiring indemnification of licensors and authors of that - material by anyone who conveys the material (or modified versions of - it) with contractual assumptions of liability to the recipient, for - any liability that these contractual assumptions directly impose on - those licensors and authors. - - All other non-permissive additional terms are considered "further -restrictions" within the meaning of section 10. If the Program as you -received it, or any part of it, contains a notice stating that it is -governed by this License along with a term that is a further -restriction, you may remove that term. If a license document contains -a further restriction but permits relicensing or conveying under this -License, you may add to a covered work material governed by the terms -of that license document, provided that the further restriction does -not survive such relicensing or conveying. - - If you add terms to a covered work in accord with this section, you -must place, in the relevant source files, a statement of the -additional terms that apply to those files, or a notice indicating -where to find the applicable terms. - - Additional terms, permissive or non-permissive, may be stated in the -form of a separately written license, or stated as exceptions; -the above requirements apply either way. - - 8. Termination. - - You may not propagate or modify a covered work except as expressly -provided under this License. Any attempt otherwise to propagate or -modify it is void, and will automatically terminate your rights under -this License (including any patent licenses granted under the third -paragraph of section 11). - - However, if you cease all violation of this License, then your -license from a particular copyright holder is reinstated (a) -provisionally, unless and until the copyright holder explicitly and -finally terminates your license, and (b) permanently, if the copyright -holder fails to notify you of the violation by some reasonable means -prior to 60 days after the cessation. - - Moreover, your license from a particular copyright holder is -reinstated permanently if the copyright holder notifies you of the -violation by some reasonable means, this is the first time you have -received notice of violation of this License (for any work) from that -copyright holder, and you cure the violation prior to 30 days after -your receipt of the notice. - - Termination of your rights under this section does not terminate the -licenses of parties who have received copies or rights from you under -this License. If your rights have been terminated and not permanently -reinstated, you do not qualify to receive new licenses for the same -material under section 10. - - 9. Acceptance Not Required for Having Copies. - - You are not required to accept this License in order to receive or -run a copy of the Program. Ancillary propagation of a covered work -occurring solely as a consequence of using peer-to-peer transmission -to receive a copy likewise does not require acceptance. However, -nothing other than this License grants you permission to propagate or -modify any covered work. These actions infringe copyright if you do -not accept this License. Therefore, by modifying or propagating a -covered work, you indicate your acceptance of this License to do so. - - 10. Automatic Licensing of Downstream Recipients. - - Each time you convey a covered work, the recipient automatically -receives a license from the original licensors, to run, modify and -propagate that work, subject to this License. You are not responsible -for enforcing compliance by third parties with this License. - - An "entity transaction" is a transaction transferring control of an -organization, or substantially all assets of one, or subdividing an -organization, or merging organizations. If propagation of a covered -work results from an entity transaction, each party to that -transaction who receives a copy of the work also receives whatever -licenses to the work the party's predecessor in interest had or could -give under the previous paragraph, plus a right to possession of the -Corresponding Source of the work from the predecessor in interest, if -the predecessor has it or can get it with reasonable efforts. - - You may not impose any further restrictions on the exercise of the -rights granted or affirmed under this License. For example, you may -not impose a license fee, royalty, or other charge for exercise of -rights granted under this License, and you may not initiate litigation -(including a cross-claim or counterclaim in a lawsuit) alleging that -any patent claim is infringed by making, using, selling, offering for -sale, or importing the Program or any portion of it. - - 11. Patents. - - A "contributor" is a copyright holder who authorizes use under this -License of the Program or a work on which the Program is based. The -work thus licensed is called the contributor's "contributor version". - - A contributor's "essential patent claims" are all patent claims -owned or controlled by the contributor, whether already acquired or -hereafter acquired, that would be infringed by some manner, permitted -by this License, of making, using, or selling its contributor version, -but do not include claims that would be infringed only as a -consequence of further modification of the contributor version. For -purposes of this definition, "control" includes the right to grant -patent sublicenses in a manner consistent with the requirements of -this License. - - Each contributor grants you a non-exclusive, worldwide, royalty-free -patent license under the contributor's essential patent claims, to -make, use, sell, offer for sale, import and otherwise run, modify and -propagate the contents of its contributor version. - - In the following three paragraphs, a "patent license" is any express -agreement or commitment, however denominated, not to enforce a patent -(such as an express permission to practice a patent or covenant not to -sue for patent infringement). To "grant" such a patent license to a -party means to make such an agreement or commitment not to enforce a -patent against the party. - - If you convey a covered work, knowingly relying on a patent license, -and the Corresponding Source of the work is not available for anyone -to copy, free of charge and under the terms of this License, through a -publicly available network server or other readily accessible means, -then you must either (1) cause the Corresponding Source to be so -available, or (2) arrange to deprive yourself of the benefit of the -patent license for this particular work, or (3) arrange, in a manner -consistent with the requirements of this License, to extend the patent -license to downstream recipients. "Knowingly relying" means you have -actual knowledge that, but for the patent license, your conveying the -covered work in a country, or your recipient's use of the covered work -in a country, would infringe one or more identifiable patents in that -country that you have reason to believe are valid. - - If, pursuant to or in connection with a single transaction or -arrangement, you convey, or propagate by procuring conveyance of, a -covered work, and grant a patent license to some of the parties -receiving the covered work authorizing them to use, propagate, modify -or convey a specific copy of the covered work, then the patent license -you grant is automatically extended to all recipients of the covered -work and works based on it. - - A patent license is "discriminatory" if it does not include within -the scope of its coverage, prohibits the exercise of, or is -conditioned on the non-exercise of one or more of the rights that are -specifically granted under this License. You may not convey a covered -work if you are a party to an arrangement with a third party that is -in the business of distributing software, under which you make payment -to the third party based on the extent of your activity of conveying -the work, and under which the third party grants, to any of the -parties who would receive the covered work from you, a discriminatory -patent license (a) in connection with copies of the covered work -conveyed by you (or copies made from those copies), or (b) primarily -for and in connection with specific products or compilations that -contain the covered work, unless you entered into that arrangement, -or that patent license was granted, prior to 28 March 2007. - - Nothing in this License shall be construed as excluding or limiting -any implied license or other defenses to infringement that may -otherwise be available to you under applicable patent law. - - 12. No Surrender of Others' Freedom. - - If conditions are imposed on you (whether by court order, agreement or -otherwise) that contradict the conditions of this License, they do not -excuse you from the conditions of this License. If you cannot convey a -covered work so as to satisfy simultaneously your obligations under this -License and any other pertinent obligations, then as a consequence you may -not convey it at all. For example, if you agree to terms that obligate you -to collect a royalty for further conveying from those to whom you convey -the Program, the only way you could satisfy both those terms and this -License would be to refrain entirely from conveying the Program. - - 13. Use with the GNU Affero General Public License. - - Notwithstanding any other provision of this License, you have -permission to link or combine any covered work with a work licensed -under version 3 of the GNU Affero General Public License into a single -combined work, and to convey the resulting work. The terms of this -License will continue to apply to the part which is the covered work, -but the special requirements of the GNU Affero General Public License, -section 13, concerning interaction through a network will apply to the -combination as such. - - 14. Revised Versions of this License. - - The Free Software Foundation may publish revised and/or new versions of -the GNU General Public License from time to time. Such new versions will -be similar in spirit to the present version, but may differ in detail to -address new problems or concerns. - - Each version is given a distinguishing version number. If the -Program specifies that a certain numbered version of the GNU General -Public License "or any later version" applies to it, you have the -option of following the terms and conditions either of that numbered -version or of any later version published by the Free Software -Foundation. If the Program does not specify a version number of the -GNU General Public License, you may choose any version ever published -by the Free Software Foundation. - - If the Program specifies that a proxy can decide which future -versions of the GNU General Public License can be used, that proxy's -public statement of acceptance of a version permanently authorizes you -to choose that version for the Program. - - Later license versions may give you additional or different -permissions. However, no additional obligations are imposed on any -author or copyright holder as a result of your choosing to follow a -later version. - - 15. Disclaimer of Warranty. - - THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY -APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT -HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY -OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, -THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM -IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF -ALL NECESSARY SERVICING, REPAIR OR CORRECTION. - - 16. Limitation of Liability. - - IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING -WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS -THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY -GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE -USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF -DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD -PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), -EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF -SUCH DAMAGES. - - 17. Interpretation of Sections 15 and 16. - - If the disclaimer of warranty and limitation of liability provided -above cannot be given local legal effect according to their terms, -reviewing courts shall apply local law that most closely approximates -an absolute waiver of all civil liability in connection with the -Program, unless a warranty or assumption of liability accompanies a -copy of the Program in return for a fee. - - END OF TERMS AND CONDITIONS - - How to Apply These Terms to Your New Programs - - If you develop a new program, and you want it to be of the greatest -possible use to the public, the best way to achieve this is to make it -free software which everyone can redistribute and change under these terms. - - To do so, attach the following notices to the program. It is safest -to attach them to the start of each source file to most effectively -state the exclusion of warranty; and each file should have at least -the "copyright" line and a pointer to where the full notice is found. - - - Copyright (C) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . - -Also add information on how to contact you by electronic and paper mail. - - If the program does terminal interaction, make it output a short -notice like this when it starts in an interactive mode: - - Copyright (C) - This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. - This is free software, and you are welcome to redistribute it - under certain conditions; type `show c' for details. - -The hypothetical commands `show w' and `show c' should show the appropriate -parts of the General Public License. Of course, your program's commands -might be different; for a GUI interface, you would use an "about box". - - You should also get your employer (if you work as a programmer) or school, -if any, to sign a "copyright disclaimer" for the program, if necessary. -For more information on this, and how to apply and follow the GNU GPL, see -. - - The GNU General Public License does not permit incorporating your program -into proprietary programs. If your program is a subroutine library, you -may consider it more useful to permit linking proprietary applications with -the library. If this is what you want to do, use the GNU Lesser General -Public License instead of this License. But first, please read -. + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/README.md b/README.md index b5bcf34e..7221d906 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,5 @@ # gosu -[![Build Status](https://travis-ci.org/tianon/gosu.svg)](https://travis-ci.org/tianon/gosu) - This is a simple tool grown out of the simple fact that `su` and `sudo` have very strange and often annoying TTY and signal-forwarding behavior. They're also somewhat complex to setup and use (especially in the case of `sudo`), which allows for a great deal of expressivity, but falls flat if all you need is "run this specific application as this specific user and get out of the pipeline". The core of how `gosu` works is stolen directly from how Docker/libcontainer itself starts an application inside a container (and in fact, is using the `/etc/passwd` processing code directly from libcontainer's codebase). @@ -54,15 +52,21 @@ root 1 0.0 0.0 7140 768 ? Rs+ 02:22 0:00 ps aux Additionally, due to the fact that `gosu` is using Docker's own code for processing these `user:group`, it has exact 1:1 parity with Docker's own `--user` flag. -If you're curious about the edge cases that `gosu` handles, see [`Dockerfile.test`](Dockerfile.test) for the "test suite" (and the associated [`test.sh`](test.sh) script that wraps this up for testing arbitrary binaries). +If you're curious about the edge cases that `gosu` handles, see [`Dockerfile.test-alpine`](Dockerfile.test-alpine) for the "test suite" (and the associated [`test.sh`](test.sh) script that wraps this up for testing arbitrary binaries). -(Note that `sudo` has different goals from this project, and it is *not* intended to be a `sudo` replacement; for example, see [this Stack Overflow answer](https://stackoverflow.com/a/48105623) for a short explanation of why `sudo` does `fork`+`exec` instead of just `exec`.) +(Note that `sudo` has different goals from this project, and it is *not* intended to be a `sudo` replacement; for example, see [this Stack Overflow answer](https://stackoverflow.com/a/48105623/433558) for a short explanation of why `sudo` does `fork`+`exec` instead of just `exec`.) ## Alternatives -### `su-exec` +### `setpriv` + +Available in newer `util-linux` (`>= 2.32.1-0.2`, in Debian; https://manpages.debian.org/buster/util-linux/setpriv.1.en.html): -As mentioned in `INSTALL.md`, [`su-exec`](https://github.com/ncopa/su-exec) is a very minimal re-write of `gosu` in C, making for a much smaller binary, and is available in the `main` Alpine package repository. +```console +$ docker run -it --rm buildpack-deps:buster-scm setpriv --reuid=nobody --regid=nogroup --init-groups ps faux +USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND +nobody 1 5.0 0.0 9592 1252 pts/0 RNs+ 23:21 0:00 ps faux +``` ### `chroot` @@ -74,15 +78,9 @@ USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND nobody 1 5.0 0.0 7136 756 ? Rs+ 17:04 0:00 ps aux ``` -### `setpriv` - -Available in newer `util-linux` (`>= 2.32.1-0.2`, in Debian; https://manpages.debian.org/buster/util-linux/setpriv.1.en.html): +### `su-exec` -```console -$ docker run -it --rm buildpack-deps:buster-scm setpriv --reuid=nobody --regid=nogroup --init-groups ps faux -USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND -nobody 1 5.0 0.0 9592 1252 pts/0 RNs+ 23:21 0:00 ps faux -``` +In the Alpine Linux ecosystem, [`su-exec`](https://github.com/ncopa/su-exec) is a minimal re-write of `gosu` in C, making for a much smaller binary, and is available in the `main` Alpine package repository. Versions older than 0.3 had [a pretty severe parser bug](https://github.com/ncopa/su-exec/pull/26), so make sure you're using version 0.3 or above. ### Others diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..3610ffba --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,23 @@ +# CVEs + +This project does not rebuild/release to "fix" CVEs which do not apply to actual builds of `gosu`. For example, this includes any CVE in Go which applies to interfaces that `gosu` does not ever invoke, such as `net/http`, `archive/tar`, `encoding/xml`, etc. + +Before reporting that `gosu` is "vulnerable" to a particular CVE, please run our [`./govulncheck-with-excludes.sh`](govulncheck-with-excludes.sh) wrapper around [`govulncheck`](https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck) to determine whether the latest release is *actually* using the vulnerable functionality. See [this excellent blog post](https://go.dev/blog/vuln) from the Go team for more information about the `govulncheck` tool and the methodology by which it is maintained. + +If you have a tool which is reporting that `gosu` is vulnerable to a particular CVE but `govulncheck` does not agree, **please** report this as a false positive to your CVE scanning vendor so that they can improve their tooling. (If you wish to verify that your reported CVE is part of `govulncheck`'s dataset and thus covered by their tool, you can check [the vulndb repository](https://github.com/golang/vulndb) where they track those.) + +Our `govulncheck` wrapper script ([`govulncheck-with-excludes.sh`](govulncheck-with-excludes.sh)) may include a small set of vulnerabilities that will be reported by `govulncheck` which do not apply (due to other mitigations or otherwise). See comments in that script for details. + +## Version Updates + +Similar to the how traditional Linux distributions such as Debian handle rebuilding binaries between stable releases / for updated compilers (or rather, the situations and reasons for which they do *not* do so), and in the same spirit as the above CVE policy and [Go's "Minimal Version Selection"](https://research.swtch.com/vgo-mvs), we do *not* update the compiler/rebuild with a newer compiler unless there is a compelling functional or security reason in the code that ends up as part of the `gosu` binary that warrants doing so. + +As above, if you have a "security scanning" tool which does not agree with this policy, please take that up with your scanning tool vendor (report as a false positive, improve the tool to use `govulncheck`, etc). + +# Reporting Vulnerabilities + +The surface area of `gosu` itself is really limited -- it only directly contains a small amount of Go code to instrument an interface that is part of [`github.com/moby/sys/user` (the Docker Engine's `--user` parsing code, to be exact)](https://github.com/moby/sys/tree/main/user) (and which itself is a pretty limited interface) intended for providing the same behavior as Docker's `--user` flag (switching from `root` to a less privileged user), but from within an already running container. + +If you believe you have found a new vulnerability in `gosu`, chances are very high that it's actually a vulnerability in `github.com/moby/sys/user` or `golang.org/x/sys`, and should be [reported appropriately and responsibly](https://github.com/moby/moby/blob/HEAD/SECURITY.md). + +After all this, if you still believe you have discovered a novel vulnerability in the limited code that is `gosu` itself, please [use GitHub's (private) advisory reporting feature](https://github.com/tianon/gosu/security/advisories/new) to responsibly report it. diff --git a/go.mod b/go.mod index f97c934b..9f8577f6 100644 --- a/go.mod +++ b/go.mod @@ -1,5 +1,8 @@ module github.com/tianon/gosu -go 1.14 +go 1.20 -require github.com/opencontainers/runc v1.0.0-rc92 +require ( + github.com/moby/sys/user v0.1.0 + golang.org/x/sys v0.1.0 +) diff --git a/go.sum b/go.sum index e1c90b7d..dea95ab1 100644 --- a/go.sum +++ b/go.sum @@ -1,56 +1,4 @@ -github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= -github.com/checkpoint-restore/go-criu/v4 v4.1.0/go.mod h1:xUQBLp4RLc5zJtWY++yjOoMoB5lihDt7fai+75m+rGw= -github.com/cilium/ebpf v0.0.0-20200702112145-1c8d4c9ef775/go.mod h1:7cR51M8ViRLIdUjrmSXlK9pkrsDlLHbO8jiB8X8JnOc= -github.com/containerd/console v1.0.0/go.mod h1:8Pf4gM6VEbTNRIT26AyyU7hxdQU3MvAvxVI0sc00XBE= -github.com/coreos/go-systemd/v22 v22.1.0/go.mod h1:xO0FLkIi5MaZafQlIrOotqXZ90ih+1atmu1JpKERPPk= -github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= -github.com/cyphar/filepath-securejoin v0.2.2/go.mod h1:FpkQEhXnPnOthhzymB7CGsFk2G9VLXONKD9G7QGMM+4= -github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= -github.com/godbus/dbus/v5 v5.0.3/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= -github.com/golang/protobuf v1.3.5/go.mod h1:6O5/vntMXwX2lRkT1hjjk0nAC1IDOTvTlVgjlRvqsdk= -github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= -github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= -github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= -github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= -github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= -github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= -github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= -github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= -github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= -github.com/moby/sys/mountinfo v0.1.3/go.mod h1:w2t2Avltqx8vE7gX5l+QiBKxODu2TX0+Syr3h52Tw4o= -github.com/mrunalp/fileutils v0.0.0-20200520151820-abd8a0e76976/go.mod h1:x8F1gnqOkIEiO4rqoeEEEqQbo7HjGMTvyoq3gej4iT0= -github.com/opencontainers/runc v1.0.0-rc92 h1:+IczUKCRzDzFDnw99O/PAqrcBBCoRp9xN3cB1SYSNS4= -github.com/opencontainers/runc v1.0.0-rc92/go.mod h1:X1zlU4p7wOlX4+WRCz+hvlRv8phdL7UqbYD+vQwNMmE= -github.com/opencontainers/runtime-spec v1.0.3-0.20200728170252-4d89ac9fbff6/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= -github.com/opencontainers/selinux v1.6.0/go.mod h1:VVGKuOLlE7v4PJyT6h7mNWvq1rzqiriPsEqVhc+svHE= -github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= -github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= -github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= -github.com/seccomp/libseccomp-golang v0.9.1/go.mod h1:GbW5+tmTXfcxTToHLXlScSlAvWlF4P2Ca7zGrPiEpWo= -github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= -github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88= -github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= -github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww= -github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= -github.com/vishvananda/netlink v1.1.0/go.mod h1:cTgwzPIzzgDAYoQrMm0EdrjRUBkTqKYppBueQtXaqoE= -github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df/go.mod h1:JP3t17pCcGlemwknint6hfoeCVQrEMVwxRLRjXpq+BU= -github.com/willf/bitset v1.1.11-0.20200630133818-d5bec3311243/go.mod h1:RjeCKbqT1RxIR/KWY6phxZiaY1IyutSBfGjNPySAYV4= -golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190606203320-7fc4e5ec1444/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191115151921-52ab43148777/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200124204421-9fbb57f87de9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200728102440-3e129f6d46b1 h1:sIky/MyNRSHTrdxfsiUSS4WIAMvInbeXljJz+jDjeYE= -golang.org/x/sys v0.0.0-20200728102440-3e129f6d46b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= -google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= -google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= -google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE= -google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo= -google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= -gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +github.com/moby/sys/user v0.1.0 h1:WmZ93f5Ux6het5iituh9x2zAG7NFY9Aqi49jjE1PaQg= +github.com/moby/sys/user v0.1.0/go.mod h1:fKJhFOnsCN6xZ5gSfbM6zaHGgDJMrqt9/reuj4T7MmU= +golang.org/x/sys v0.1.0 h1:kunALQeHf1/185U1i0GOB/fy1IPRDDpuoOOqRReG57U= +golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= diff --git a/govulncheck-with-excludes.sh b/govulncheck-with-excludes.sh new file mode 100755 index 00000000..27eb74fc --- /dev/null +++ b/govulncheck-with-excludes.sh @@ -0,0 +1,89 @@ +#!/usr/bin/env bash +set -Eeuo pipefail + +# a wrapper / replacement for "govulncheck" which allows for excluding vulnerabilities +# (https://github.com/golang/go/issues/59507) + +excludeVulns="$(jq -nc '[ + + # fixed in Go 1.20.5+ + # https://pkg.go.dev/vuln/GO-2023-1840 + # we already mitigate setuid in our code + "GO-2023-1840", "CVE-2023-29403", + # (https://github.com/tianon/gosu/issues/128#issuecomment-1607803883) + + empty # trailing comma hack (makes diffs smaller) +]')" +export excludeVulns + +if ! command -v govulncheck > /dev/null; then + govulncheck() { + local user; user="$(id -u):$(id -g)" + local args=( + --rm --interactive --init + --user "$user" + --env HOME=/tmp + --env GOPATH=/tmp/go + --volume govulncheck:/tmp + --env CGO_ENABLED=0 + --mount "type=bind,src=$PWD,dst=/wd,ro" + --workdir /wd + "${GOLANG_IMAGE:-golang:latest}" + sh -euc ' + # https://github.com/golang/vuln/releases + # (pinning version to avoid format changes like https://github.com/tianon/gosu/issues/144 surprising us unexpectedly) + go install golang.org/x/vuln/cmd/govulncheck@v1.1.4 > /dev/null + exec "$GOPATH/bin/govulncheck" "$@" + ' -- + ) + docker run "${args[@]}" "$@" + } +fi + +if out="$(govulncheck "$@")"; then + printf '%s\n' "$out" + exit 0 +fi + +json="$(govulncheck -json "$@")" + +vulns="$(jq <<<"$json" -cs ' + ( + map( + .osv // empty + | { key: .id, value: . } + ) + | from_entries + ) as $meta + # https://github.com/tianon/gosu/issues/144 + | map( + .finding // empty + # https://github.com/golang/vuln/blob/3740f5cb12a3f93b18dbe200c4bcb6256f8586e2/internal/scan/template.go#L97-L104 + | select((.trace[0].function // "") != "") + | .osv + ) + | unique + | map($meta[.]) +')" +if [ "$(jq <<<"$vulns" -r 'length')" -le 0 ]; then + printf '%s\n' "$out" + exit 1 +fi + +filtered="$(jq <<<"$vulns" -c ' + (env.excludeVulns | fromjson) as $exclude + | map(select( + .id as $id + | $exclude | index($id) | not + )) +')" + +text="$(jq <<<"$filtered" -r 'map("- \(.id) (aka \(.aliases | join(", ")))\n\n\t\(.details | gsub("\n"; "\n\t"))") | join("\n\n")')" + +if [ -z "$text" ]; then + printf 'No vulnerabilities found.\n' + exit 0 +else + printf '%s\n' "$text" + exit 1 +fi diff --git a/hub/Dockerfile.alpine b/hub/Dockerfile.alpine new file mode 100644 index 00000000..2b028bb1 --- /dev/null +++ b/hub/Dockerfile.alpine @@ -0,0 +1,21 @@ +FROM alpine:3.22 + +# https://github.com/tianon/gosu/releases +ENV GOSU_VERSION 1.19 + +RUN set -eux; \ + apk add --no-cache --virtual .fetch-deps dpkg gnupg; \ + dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \ + wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \ + wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \ + GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ + gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \ + gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ + gpgconf --kill all; \ + rm -rf "$GNUPGHOME"; unset GNUPGHOME; \ + apk del --no-network .fetch-deps; \ + chmod +x /usr/local/bin/gosu; \ + gosu --version; \ + gosu nobody true; \ +# hard link to / for ease of COPY --from + ln -v /usr/local/bin/gosu / diff --git a/hub/Dockerfile.debian b/hub/Dockerfile.debian new file mode 100644 index 00000000..c83de5a6 --- /dev/null +++ b/hub/Dockerfile.debian @@ -0,0 +1,25 @@ +FROM debian:trixie-slim + +# https://github.com/tianon/gosu/releases +ENV GOSU_VERSION 1.19 + +RUN set -eux; \ + savedAptMark="$(apt-mark showmanual)"; \ + apt-get install --update -y --no-install-recommends ca-certificates dirmngr gnupg wget; \ + dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \ + wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \ + wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \ + GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ + gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \ + gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ + gpgconf --kill all; \ + rm -rf "$GNUPGHOME"; unset GNUPGHOME; \ + apt-mark auto '.*' > /dev/null; \ + [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \ + apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ + apt-get dist-clean; \ + chmod +x /usr/local/bin/gosu; \ + gosu --version; \ + gosu nobody true; \ +# hard link to / for ease of COPY --from + ln -v /usr/local/bin/gosu / diff --git a/hub/gsl.sh b/hub/gsl.sh new file mode 100755 index 00000000..120e75b2 --- /dev/null +++ b/hub/gsl.sh @@ -0,0 +1,102 @@ +#!/usr/bin/env bash +set -Eeuo pipefail + +preferredOrder=( alpine debian ) + +dir="$(dirname "$BASH_SOURCE")" +cd "$dir" + +commit="$(git log -1 --format='format:%H' HEAD -- .)" + +version= +i=0; jq=; froms=() +for variant in "${preferredOrder[@]}"; do + from="$(awk 'toupper($1) == "FROM" { print $2; exit }' "Dockerfile.$variant")" # TODO multi-stage? + variantVersion="$(awk 'toupper($1) == "ENV" && toupper($2) == "GOSU_VERSION" { print $3; exit }' "Dockerfile.$variant")" + version="${version:-$variantVersion}" + if [ "$version" != "$variantVersion" ]; then + echo >&2 "error: mismatched version in '$variant' ('$version' vs '$variantVersion')" + exit 1 + fi + jq="${jq:+$jq, }$variant: (.[$i] | { ref: .ref, arches: .arches | keys_unsorted })" + froms["$i"]="$from" + (( i++ )) || : +done +arches="$(bashbrew remote arches --json "${froms[@]}" | jq -sc "{ $jq }")" # { alpine: [ "amd64", ... ], debian: [ "amd64", ... ] } + +exec jq <<<"$arches" -r --arg commit "$commit" --arg version "$version" ' + map_values(select(.arches | length > 0)) + | keys_unsorted as $variants + | with_entries(.value |= .arches) as $variantArches + | ($variantArches | add | unique) as $arches + | with_entries(.value |= ( + .ref + | sub("^(docker[.]io/(library/)?)?"; "") + | split(":") + | if .[0] == "alpine" then + join("") # alpine3.20, etc + elif .[0] == "debian" or .[0] == "ubuntu" then + .[1] | split("-")[0] # "bookworm", etc + else empty end + )) as $variantAlias + | ( + reduce ( + to_entries[] + | { + variant: .key, + arch: .value.arches[], + } + ) as $m ({}; + if has($m.arch) then . else + .[$m.arch] = $m.variant + end + ) + ) as $archVariants + | [ + { + Maintainers: "Tianon Gravi (@tianon)", + GitRepo: "https://github.com/tianon/gosu.git", + GitCommit: $commit, + Directory: "hub", + Builder: "buildkit", + }, + + reduce $arches[] as $arch ( + { + Tags: [ $version, "latest" ], + Architectures: $arches, + File: "Dockerfile.\($variants[0])", + }; + if has($arch + "-File") then . else + "Dockerfile.\($archVariants[$arch])" as $df + | if $df == .File then . else + .[$arch + "-File"] = $df + end + end + ), + + ( + $variants[] + | $variantAlias[.] as $alias + | { + Tags: [ "\($version)-\(.)", ., "\($version)-\($alias // empty)", $alias // empty ], + Architectures: $variantArches[.], + File: "Dockerfile.\(.)", + }, + + ( + . as $variant + | $variantArches[.][] + | { + Tags: [ "\($variant)-\(.)", "\($alias // empty)-\(.)", if $archVariants[.] == $variant then . else empty end ], + Architectures: ., + File: "Dockerfile.\($variant)", + } + ) + ), + + empty + ] + | map(to_entries | map(.key + ": " + ([ .value ] | flatten | join(", "))) | join("\n")) + | join("\n\n") +' diff --git a/main.go b/main.go index 95b3a6dd..7eb3d47a 100644 --- a/main.go +++ b/main.go @@ -1,16 +1,10 @@ package main // import "github.com/tianon/gosu" import ( - "bytes" - "fmt" - "log" "os" "os/exec" - "path/filepath" "runtime" - "strings" "syscall" - "text/template" ) func init() { @@ -20,61 +14,74 @@ func init() { } func version() string { - return fmt.Sprintf(`%s (%s on %s/%s; %s)`, Version, runtime.Version(), runtime.GOOS, runtime.GOARCH, runtime.Compiler) + // 1.17 (go1.18.2 on linux/amd64; gc) + return Version + ` (` + runtime.Version() + ` on ` + runtime.GOOS + `/` + runtime.GOARCH + `; ` + runtime.Compiler + `)` } func usage() string { - t := template.Must(template.New("usage").Parse(` -Usage: {{ .Self }} user-spec command [args] - eg: {{ .Self }} tianon bash - {{ .Self }} nobody:root bash -c 'whoami && id' - {{ .Self }} 1000:1 id + self := os.Args[0] + v := version() + t := ` +Usage: ` + self + ` user-spec command [args] + eg: ` + self + ` tianon bash + ` + self + ` nobody:root bash -c 'whoami && id' + ` + self + ` 1000:1 id -{{ .Self }} version: {{ .Version }} -{{ .Self }} license: GPL-3 (full text at https://github.com/tianon/gosu) -`)) - var b bytes.Buffer - template.Must(t, t.Execute(&b, struct { - Self string - Version string - }{ - Self: filepath.Base(os.Args[0]), - Version: version(), - })) - return strings.TrimSpace(b.String()) + "\n" +` + self + ` version: ` + v + ` +` + self + ` license: Apache-2.0 (full text at https://github.com/tianon/gosu) +` + return t[1:] +} + +func exit(code int, w *os.File, ss ...string) { + for i, s := range ss { + if i > 0 { + w.Write([]byte{' '}) + } + w.Write([]byte(s)) + } + w.Write([]byte{'\n'}) + os.Exit(code) } func main() { - log.SetFlags(0) // no timestamps on our logs + if ok := os.Getenv("GOSU_PLEASE_LET_ME_BE_COMPLETELY_INSECURE_I_GET_TO_KEEP_ALL_THE_PIECES"); ok != "I've seen things you people wouldn't believe. Attack ships on fire off the shoulder of Orion. I watched C-beams glitter in the dark near the Tannhäuser Gate. All those moments will be lost in time, like tears in rain. Time to die." { + if fi, err := os.Stat("/proc/self/exe"); err != nil { + exit(1, os.Stderr, "error:", err.Error()) + } else if mode := fi.Mode(); mode&os.ModeSetuid != 0 { + // ... oh no + exit(1, os.Stderr, "error:", os.Args[0], "appears to be installed with the 'setuid' bit set, which is an *extremely* insecure and completely unsupported configuration! (what you want instead is likely 'sudo' or 'su')") + } else if mode&os.ModeSetgid != 0 { + // ... oh no + exit(1, os.Stderr, "error:", os.Args[0], "appears to be installed with the 'setgid' bit set, which is not quite *as* insecure as 'setuid', but still not great, and definitely a completely unsupported configuration! (what you want instead is likely 'sudo' or 'su')") + } + } if len(os.Args) >= 2 { switch os.Args[1] { case "--help", "-h", "-?": - fmt.Println(usage()) - os.Exit(0) + exit(0, os.Stdout, usage()) case "--version", "-v": - fmt.Println(version()) - os.Exit(0) + exit(0, os.Stdout, version()) } } if len(os.Args) <= 2 { - log.Println(usage()) - os.Exit(1) + exit(1, os.Stderr, usage()) } // clear HOME so that SetupUser will set it os.Unsetenv("HOME") if err := SetupUser(os.Args[1]); err != nil { - log.Fatalf("error: failed switching to %q: %v", os.Args[1], err) + exit(1, os.Stderr, "error: failed switching to '"+os.Args[1]+"':", err.Error()) } name, err := exec.LookPath(os.Args[2]) if err != nil { - log.Fatalf("error: %v", err) + exit(1, os.Stderr, "error:", err.Error()) } if err = syscall.Exec(name, os.Args[2:], os.Environ()); err != nil { - log.Fatalf("error: exec failed: %v", err) + exit(1, os.Stderr, "error: exec failed:", err.Error()) } } diff --git a/setup-user.go b/setup-user.go index 3a04ec98..87afcd17 100644 --- a/setup-user.go +++ b/setup-user.go @@ -2,22 +2,21 @@ package main import ( "os" - "syscall" - "github.com/opencontainers/runc/libcontainer/system" - "github.com/opencontainers/runc/libcontainer/user" + "github.com/moby/sys/user" + "golang.org/x/sys/unix" ) -// this function comes from libcontainer/init_linux.go -// we don't use that directly because we don't want the whole namespaces package imported here -// (also, because we need minor modifications and it's not even exported) +// this function comes from https://github.com/opencontainers/runc/blob/18c313be729dd02b17934af41e32116a28b4b3bf/libcontainer/init_linux.go#L472-L561 +// we don't use that directly because it isn't exported *and* we don't want that whole package/runc imported here +// (also, because we need minor modifications) // SetupUser changes the groups, gid, and uid for the user inside the container func SetupUser(u string) error { // Set up defaults. defaultExecUser := user.ExecUser{ - Uid: syscall.Getuid(), - Gid: syscall.Getgid(), + Uid: unix.Getuid(), + Gid: unix.Getgid(), Home: "/", } passwdPath, err := user.GetPasswdPath() @@ -32,13 +31,13 @@ func SetupUser(u string) error { if err != nil { return err } - if err := syscall.Setgroups(execUser.Sgids); err != nil { + if err := unix.Setgroups(execUser.Sgids); err != nil { return err } - if err := system.Setgid(execUser.Gid); err != nil { + if err := unix.Setgid(execUser.Gid); err != nil { return err } - if err := system.Setuid(execUser.Uid); err != nil { + if err := unix.Setuid(execUser.Uid); err != nil { return err } // if we didn't get HOME already, set it based on the user's HOME diff --git a/version.go b/version.go index e43fe0c4..a5c6e8a4 100644 --- a/version.go +++ b/version.go @@ -1,3 +1,3 @@ package main -const Version = "1.12" +const Version = "1.19"