src: add SafeCapGetenv function

danbev · danbev · commit c9ed842f4496 · 2021-03-12T13:58:27.000+01:00
This commit suggests adding a function named SafeCapGetenv which takes
into consideration if a capability has been set on the executable, and
if so allows the reading of the environment variables. This is a
separate function so that it does not affect and JavaScript methods that
currently use SafeGetenv.

The motivation for this change is a use-case where Node is run in a
container, and the is a requirement to be able to listen to ports
below 1024. This is done by setting the capability of
cap_net_bin_service. In addition there is a need to set the
environment variable `NODE_EXTRA_CA_CERTS`. But currently this
environment variable will not be read when the capability has been set
on the executable.
diff --git a/src/node.cc b/src/node.cc
@@ -1010,7 +1010,7 @@ InitializationResult InitializeOncePerProcess(int argc, char** argv) {
 #if HAVE_OPENSSL
   {
     std::string extra_ca_certs;
-    if (credentials::SafeGetenv("NODE_EXTRA_CA_CERTS", &extra_ca_certs))
+    if (credentials::SafeCapGetenv("NODE_EXTRA_CA_CERTS", &extra_ca_certs))
       crypto::UseExtraCaCerts(extra_ca_certs);
   }
   // In the case of FIPS builds we should make sure
diff --git a/src/node_credentials.cc b/src/node_credentials.cc
@@ -33,6 +33,44 @@ bool linux_at_secure = false;
 
 namespace credentials {
 
+// Look up environment variable and allow if linux capabilities have been set
+// but not setuid. setuid is assumed if the real/effective user/group differ.
+// We also check for the off chance that the process is running as root and
+// also has capabilities set (in which case the user/group ids would be the
+// same).
+bool SafeCapGetenv(const char* key, std::string* text) {
+#if !defined(__CloudABI__) && !defined(_WIN32)
+  if (per_process::linux_at_secure && (getuid() != geteuid() ||
+      getgid() != getegid()) || getuid() == 0) {
+    goto fail;
+  }
+#endif
+
+  {
+    Mutex::ScopedLock lock(per_process::env_var_mutex);
+
+    size_t init_sz = 256;
+    MaybeStackBuffer<char, 256> val;
+    int ret = uv_os_getenv(key, *val, &init_sz);
+
+    if (ret == UV_ENOBUFS) {
+      // Buffer is not large enough, reallocate to the updated init_sz
+      // and fetch env value again.
+      val.AllocateSufficientStorage(init_sz);
+      ret = uv_os_getenv(key, *val, &init_sz);
+    }
+
+    if (ret >= 0) {  // Env key value fetch success.
+      *text = *val;
+      return true;
+    }
+  }
+
+fail:
+  text->clear();
+  return false;
+}
+
 // Look up environment variable unless running as setuid root.
 bool SafeGetenv(const char* key, std::string* text, Environment* env) {
 #if !defined(__CloudABI__) && !defined(_WIN32)
diff --git a/src/node_internals.h b/src/node_internals.h
@@ -292,6 +292,7 @@ class ThreadPoolWork {
 
 namespace credentials {
 bool SafeGetenv(const char* key, std::string* text, Environment* env = nullptr);
+bool SafeCapGetenv(const char* key, std::string* text);
 }  // namespace credentials
 
 void DefineZlibConstants(v8::Local<v8::Object> target);

Original file line number	Diff line number	Diff line change
`@@ -1010,7 +1010,7 @@ InitializationResult InitializeOncePerProcess(int argc, char** argv) {`
`1010`	`1010`	`#if HAVE_OPENSSL`
`1011`	`1011`	`{`
`1012`	`1012`	`std::string extra_ca_certs;`
`1013`		`- if (credentials::SafeGetenv("NODE_EXTRA_CA_CERTS", &extra_ca_certs))`
	`1013`	`+ if (credentials::SafeCapGetenv("NODE_EXTRA_CA_CERTS", &extra_ca_certs))`
`1014`	`1014`	`crypto::UseExtraCaCerts(extra_ca_certs);`
`1015`	`1015`	`}`
`1016`	`1016`	`// In the case of FIPS builds we should make sure`