Merge pull request #2175 from cachix/elevated-tasks

tasks: support running in an elevated shell

Author: sandydoo

devenv-tasks/Cargo.toml

@@ -25,7 +25,7 @@ shell-escape.workspace = true
 glob = "0.3.3"
 
 [target.'cfg(unix)'.dependencies]
-nix.workspace = true
+nix = { workspace = true, features = ["user"] }
 
 [dev-dependencies]
 pretty_assertions.workspace = true

devenv-tasks/src/config.rs

@@ -1,4 +1,5 @@
 use serde::{Deserialize, Serialize};
+use crate::SudoContext;
 
 #[derive(Clone, Debug, Deserialize, Serialize)]
 pub struct TaskConfig {
@@ -38,6 +39,8 @@ pub struct Config {
     pub tasks: Vec<TaskConfig>,
     pub roots: Vec<String>,
     pub run_mode: RunMode,
+    #[serde(skip)]
+    pub sudo_context: Option<SudoContext>,
 }
 
 impl TryFrom<serde_json::Value> for Config {

devenv-tasks/src/lib.rs

@@ -1,5 +1,6 @@
 mod config;
 mod error;
+mod privileges;
 pub mod signal_handler;
 mod task_cache;
 mod task_state;
@@ -9,6 +10,7 @@ pub mod ui;
 
 pub use config::{Config, RunMode, TaskConfig};
 pub use error::Error;
+pub use privileges::SudoContext;
 pub use tasks::{Tasks, TasksBuilder};
 pub use types::{Outputs, VerbosityLevel};
 pub use ui::{TasksStatus, TasksUi, TasksUiBuilder};

devenv-tasks/src/main.rs

@@ -1,8 +1,9 @@
 use clap::{Parser, Subcommand};
 use devenv_tasks::{
-    Config, RunMode, TaskConfig, TasksUi, VerbosityLevel, signal_handler::SignalHandler,
+    Config, RunMode, SudoContext, TaskConfig, TasksUi, VerbosityLevel,
+    signal_handler::SignalHandler,
 };
-use std::env;
+use std::{env, fs, path::PathBuf};
 
 #[derive(Parser)]
 #[clap(author, version, about)]
@@ -19,6 +20,14 @@ enum Command {
 
         #[clap(long, value_enum, default_value_t = RunMode::Single, help = "The execution mode for tasks (affects dependency resolution)")]
         mode: RunMode,
+
+        #[clap(
+            long,
+            value_parser,
+            env = "DEVENV_TASK_FILE",
+            help = "Path to a JSON file containing task definitions"
+        )]
+        task_file: Option<PathBuf>,
     },
     Export {
         #[clap()]
@@ -28,6 +37,14 @@ enum Command {
 
 #[tokio::main]
 async fn main() -> Result<(), Box<dyn std::error::Error>> {
+    // Detect and handle sudo.
+    // Drop privileges immediately to avoid creating any files as root.
+    let sudo_context = SudoContext::detect();
+    if let Some(ref ctx) = sudo_context {
+        ctx.drop_privileges()
+            .map_err(|e| format!("Failed to drop privileges: {}", e))?;
+    }
+
     let args = Args::parse();
 
     // Determine verbosity level from DEVENV_CMDLINE
@@ -46,19 +63,45 @@ async fn main() -> Result<(), Box<dyn std::error::Error>> {
 
     // Keeping backwards compatibility for existing scripts that might set DEVENV_TASKS_QUIET
     if let Ok(quiet_var) = env::var("DEVENV_TASKS_QUIET")
-        && (quiet_var == "true" || quiet_var == "1") {
-            verbosity = VerbosityLevel::Quiet;
-        }
+        && (quiet_var == "true" || quiet_var == "1")
+    {
+        verbosity = VerbosityLevel::Quiet;
+    }
 
     match args.command {
-        Command::Run { roots, mode } => {
-            let tasks_json = env::var("DEVENV_TASKS")?;
-            let tasks: Vec<TaskConfig> = serde_json::from_str(&tasks_json)?;
+        Command::Run {
+            roots,
+            mode,
+            task_file,
+        } => {
+            let tasks: Vec<TaskConfig> = {
+                let task_source = || {
+                    task_file
+                        .as_ref()
+                        .map(|p| format!("tasks file at {}", p.display()))
+                        .unwrap_or_else(|| "DEVENV_TASKS".to_string())
+                };
 
+                let data = env::var("DEVENV_TASKS").or_else(|_| {
+                    task_file
+                        .as_ref()
+                        .ok_or_else(|| {
+                            "No task file specified and DEVENV_TASKS environment variable not set"
+                                .to_string()
+                        })
+                        .and_then(|path| {
+                            fs::read_to_string(path)
+                                .map_err(|e| format!("Failed to read {}: {e}", task_source()))
+                        })
+                })?;
+                serde_json::from_str(&data)
+                    .map_err(|e| format!("Failed to parse {} as JSON: {e}", task_source()))?
+            };
             let config = Config {
                 tasks,
                 roots,
                 run_mode: mode,
+                sudo_context: sudo_context.clone(),
             };
 
             // Create a global signal handler

devenv-tasks/src/privileges.rs

@@ -0,0 +1,39 @@
+use std::env;
+use nix::unistd::{Uid, Gid, setuid, setgid, geteuid};
+
+/// Context information about the original user when running under sudo
+#[derive(Debug, Clone)]
+pub struct SudoContext {
+    pub user: String,
+    pub uid: Uid,
+    pub gid: Gid,
+}
+
+impl SudoContext {
+    /// Detect if we're running under sudo and extract the original user context
+    pub fn detect() -> Option<Self> {
+        // Only if we're running as root AND have SUDO_USER set
+        if !geteuid().is_root() {
+            return None;
+        }
+
+        let user = env::var("SUDO_USER").ok()?;
+        let uid = env::var("SUDO_UID").ok()?.parse().ok()?;
+        let gid = env::var("SUDO_GID").ok()?.parse().ok()?;
+
+        Some(SudoContext {
+            user,
+            uid: Uid::from_raw(uid),
+            gid: Gid::from_raw(gid),
+        })
+    }
+
+    /// Drop privileges to the original user
+    ///
+    /// Order matters: we must set GID first, then UID, because once we drop UID privileges we can't change GID anymore.
+    pub fn drop_privileges(&self) -> Result<(), nix::Error> {
+        setgid(self.gid)?;
+        setuid(self.uid)?;
+        Ok(())
+    }
+}

devenv-tasks/src/task_state.rs

@@ -1,6 +1,7 @@
 use crate::config::TaskConfig;
 use crate::task_cache::{TaskCache, expand_glob_patterns};
 use crate::types::{Output, Skipped, TaskCompleted, TaskFailure, TaskStatus, VerbosityLevel};
+use crate::SudoContext;
 use miette::{IntoDiagnostic, Result, WrapErr};
 use std::collections::BTreeMap;
 use std::process::Stdio;
@@ -18,19 +19,22 @@ pub struct TaskState {
     pub status: TaskStatus,
     pub verbosity: VerbosityLevel,
     pub cancellation_token: Option<CancellationToken>,
+    pub sudo_context: Option<SudoContext>,
 }
 
 impl TaskState {
     pub fn new(
         task: TaskConfig,
         verbosity: VerbosityLevel,
         cancellation_token: Option<CancellationToken>,
+        sudo_context: Option<SudoContext>,
     ) -> Self {
         Self {
             task,
             status: TaskStatus::Pending,
             verbosity,
             cancellation_token,
+            sudo_context,
         }
     }
 
@@ -71,7 +75,19 @@ impl TaskState {
         cmd: &str,
         outputs: &BTreeMap<String, serde_json::Value>,
     ) -> Result<(Command, tempfile::NamedTempFile)> {
-        let mut command = Command::new(cmd);
+        // If we dropped privileges but have sudo context, restore sudo for the task
+        let mut command = if let Some(_ctx) = &self.sudo_context {
+            // Wrap with sudo to restore elevated privileges
+            let mut sudo_cmd = Command::new("sudo");
+            // Use -E to preserve environment variables
+            // The command here is a store path to a task script, not an arbitrary shell command.
+            sudo_cmd.args(["-E", cmd]);
+            sudo_cmd
+        } else {
+            // Normal execution - no sudo involved
+            Command::new(cmd)
+        };
+
         command.stdout(Stdio::piped()).stderr(Stdio::piped());
 
         // Set working directory if specified

devenv-tasks/src/tasks.rs

@@ -90,6 +90,7 @@ impl TasksBuilder {
                 task,
                 self.verbosity,
                 self.cancellation_token.clone(),
+                self.config.sudo_context.clone(),
             ))));
             task_indices.insert(name, index);
         }

devenv/src/devenv.rs

@@ -789,6 +789,7 @@ impl Devenv {
             roots,
             tasks,
             run_mode,
+            sudo_context: None,
         };
         debug!(
             "Tasks config: {}",

src/modules/process-managers/process-compose.nix

@@ -124,10 +124,22 @@ in
         version = lib.mkDefault "0.5";
         is_strict = lib.mkDefault true;
         log_location = lib.mkDefault "${config.env.DEVENV_STATE}/process-compose/process-compose.log";
+        shell = {
+          shell_command = lib.mkDefault (lib.getExe pkgs.bashInteractive);
+          shell_argument = lib.mkDefault "-c";
+          elevated_shell_command = lib.mkDefault "sudo";
+          # Pass-through environment variables required by devenv-tasks when using elevated processes.
+          elevated_shell_argument = lib.mkDefault (lib.concatStringsSep " " [
+            "DEVENV_DOTFILE='${config.devenv.dotfile}'"
+            "DEVENV_CMDLINE=\"$DEVENV_CMDLINE\""
+            "DEVENV_TASK_FILE='${config.env.DEVENV_TASK_FILE}'"
+            "-S"
+          ]);
+        };
         processes = lib.mapAttrs
           (name: value:
             let
-              taskCmd = "${config.task.package}/bin/devenv-tasks run --mode all devenv:processes:${name}";
+              taskCmd = "${config.task.package}/bin/devenv-tasks run --task-file ${config.task.config} --mode all devenv:processes:${name}";
               command =
                 if value.process-compose.is_elevated or false
                 then taskCmd

src/modules/processes.nix

@@ -152,7 +152,7 @@ in
 
     procfile =
       pkgs.writeText "procfile" (lib.concatStringsSep "\n"
-        (lib.mapAttrsToList (name: process: "${name}: exec ${config.task.package}/bin/devenv-tasks run --mode all devenv:processes:${name}")
+        (lib.mapAttrsToList (name: process: "${name}: exec ${config.task.package}/bin/devenv-tasks run --task-file ${config.task.config} --mode all --devenv:processes:${name}")
           config.processes));
 
     procfileEnv =