Merge pull request #332 from gliderlabs/master

michaelshobbs · web-flow · commit 9dd2747c144f · 2018-02-09T08:37:17.000-07:00
release v0.3.35
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,6 +10,15 @@ All notable changes to this project will be documented in this file.
 
 ### Changed
 
+## [0.3.35] - 2018-02-09
+### Added
+- @davidkarlsen Be able to opt out from setuidgid - needed when not running as root initially
+
+### Changed
+- @michaelshobbs Update go to version v83
+- @michaelshobbs Update nodejs to version v118
+
+
 ## [0.3.34] - 2018-01-30
 ### Added
 - @josegonzalez feat: update all installed service dependencies when building the docker image
diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,5 @@
 FROM heroku/cedar:14
-RUN curl "https://github.com/gliderlabs/herokuish/releases/download/v0.3.34/herokuish_0.3.34_linux_x86_64.tgz" \
+RUN curl "https://github.com/gliderlabs/herokuish/releases/download/v0.3.35/herokuish_0.3.35_linux_x86_64.tgz" \
 		--silent -L | tar -xzC /bin
 RUN apt-get update && apt-get -qq -y --force-yes dist-upgrade && apt-get clean && rm -rf /var/cache/apt/archives/*
 RUN /bin/herokuish buildpack install \
diff --git a/Makefile b/Makefile
@@ -1,6 +1,6 @@
 NAME = herokuish
 HARDWARE = $(shell uname -m)
-VERSION ?= 0.3.34
+VERSION ?= 0.3.35
 IMAGE_NAME ?= $(NAME)
 BUILD_TAG ?= dev
 
diff --git a/README.md b/README.md
@@ -18,7 +18,7 @@ Download and uncompress the latest binary tarball from [releases](https://github
 For example, you can do this directly in your Dockerfiles installing into `/bin` as one step:
 
 ```
-RUN curl --location --silent https://github.com/gliderlabs/herokuish/releases/download/v0.3.34/herokuish_0.3.34_linux_x86_64.tgz \
+RUN curl --location --silent https://github.com/gliderlabs/herokuish/releases/download/v0.3.35/herokuish_0.3.35_linux_x86_64.tgz \
 		  | tar -xzC /bin
 ```
 
@@ -56,6 +56,9 @@ Main functionality revolves around buildpack commands, procfile/exec commands, a
 
 For example, build processes that produce Docker images without producing intermediary slugs can ignore slug commands. Similarly, non-buildpack runtime images such as [google/python-runtime](https://github.com/GoogleCloudPlatform/python-docker/tree/master/runtime) might find procfile commands useful just to support Procfiles.
 
+`herokuish exec` will by default drop root privileges through use of [setuidgid](https://cr.yp.to/daemontools/setuidgid.html),
+but if already running as a non-root user setuidgid will fail, you can opt-out from this by setting the env-var `HEROKUISH_SETUIDGUID=false`.
+
 #### Buildpacks
 
 Herokuish does not come with any buildpacks, but it is tested against recent versions of Heroku supported buildpacks. You can see this information with `herokuish version`. Example output:
diff --git a/buildpacks/buildpack-go/buildpack-version b/buildpacks/buildpack-go/buildpack-version
@@ -1 +1 @@
-v81
+v83
diff --git a/buildpacks/buildpack-nodejs/buildpack-version b/buildpacks/buildpack-nodejs/buildpack-version
@@ -1 +1 @@
-v116
+v118
diff --git a/include/procfile.bash b/include/procfile.bash
@@ -52,7 +52,11 @@ procfile-exec() {
 	cd "$app_path" || return 1
 	# unprivileged_user is defined in outer scope
 	# shellcheck disable=SC2154,SC2046
-	exec setuidgid "$unprivileged_user" $(eval echo "$@")
+	if [[ "$HEROKUISH_SETUIDGUID" == "false" ]]; then
+		exec $(eval echo "$@")
+	else
+		exec setuidgid "$unprivileged_user" $(eval echo "$@")
+	fi
 }
 
 procfile-types() {
diff --git a/tests/unit/tests.sh b/tests/unit/tests.sh
@@ -109,3 +109,35 @@ T_procfile-load-profile() {
         return 1
     fi
 }
+
+#the following two tests needs to launch an invalid command,
+#or else shell is hijacked by suceeding exec, so rather than no test
+#it is better to pass a failing cmd, so that we can check we pass exec step
+T_procfile-exec() {
+    # shellcheck disable=SC1090
+    source "$(dirname "${BASH_SOURCE[0]}")/../../include/procfile.bash"
+    local expected actual
+
+    actual=procfile-exec invalid
+    expected=".*invalid: command not found.*"
+
+    if [[ "$actual" =~ $expected ]]; then
+        echo "$actual =~ $expected"
+        return 1
+    fi
+}
+
+T_procfile-exec-setuidgid-optout() {
+    # shellcheck disable=SC1090
+    source "$(dirname "${BASH_SOURCE[0]}")/../../include/procfile.bash"
+    local expected actual
+
+    HEROKUISH_SETUIDGUID=false
+    actual=procfile-exec invalid
+    expected=".*invalid: command not found.*"
+
+    if [[ "$actual" =~ $expected ]]; then
+        echo "$actual =~ $expected"
+        return 1
+    fi
+}
