tasks: support running in an elevated shell

sandydoo · sandydoo · commit 6218a951ef3f · 2025-09-29T16:39:54.000+02:00
diff --git a/devenv-tasks/Cargo.toml b/devenv-tasks/Cargo.toml
@@ -25,7 +25,7 @@ shell-escape.workspace = true
 glob = "0.3.3"
 
 [target.'cfg(unix)'.dependencies]
-nix.workspace = true
+nix = { workspace = true, features = ["user"] }
 
 [dev-dependencies]
 pretty_assertions.workspace = true
diff --git a/devenv-tasks/src/config.rs b/devenv-tasks/src/config.rs
@@ -1,4 +1,5 @@
 use serde::{Deserialize, Serialize};
+use crate::SudoContext;
 
 #[derive(Clone, Debug, Deserialize, Serialize)]
 pub struct TaskConfig {
@@ -38,6 +39,8 @@ pub struct Config {
     pub tasks: Vec<TaskConfig>,
     pub roots: Vec<String>,
     pub run_mode: RunMode,
+    #[serde(skip)]
+    pub sudo_context: Option<SudoContext>,
 }
 
 impl TryFrom<serde_json::Value> for Config {
diff --git a/devenv-tasks/src/lib.rs b/devenv-tasks/src/lib.rs
@@ -1,5 +1,6 @@
 mod config;
 mod error;
+mod privileges;
 pub mod signal_handler;
 mod task_cache;
 mod task_state;
@@ -9,6 +10,7 @@ pub mod ui;
 
 pub use config::{Config, RunMode, TaskConfig};
 pub use error::Error;
+pub use privileges::SudoContext;
 pub use tasks::{Tasks, TasksBuilder};
 pub use types::{Outputs, VerbosityLevel};
 pub use ui::{TasksStatus, TasksUi, TasksUiBuilder};
diff --git a/devenv-tasks/src/main.rs b/devenv-tasks/src/main.rs
@@ -1,8 +1,8 @@
 use clap::{Parser, Subcommand};
 use devenv_tasks::{
-    Config, RunMode, TaskConfig, TasksUi, VerbosityLevel, signal_handler::SignalHandler,
+    Config, RunMode, SudoContent, TaskConfig, TasksUi, VerbosityLevel, signal_handler::SignalHandler,
 };
-use std::env;
+use std::{env, fs, path::PathBuf};
 
 #[derive(Parser)]
 #[clap(author, version, about)]
@@ -19,6 +19,14 @@ enum Command {
 
         #[clap(long, value_enum, default_value_t = RunMode::Single, help = "The execution mode for tasks (affects dependency resolution)")]
         mode: RunMode,
+
+        #[clap(
+            long,
+            value_parser,
+            env = "DEVENV_TASK_FILE",
+            help = "Path to a JSON file containing task definitions"
+        )]
+        task_file: Option<PathBuf>,
     },
     Export {
         #[clap()]
@@ -30,6 +38,14 @@ enum Command {
 async fn main() -> Result<(), Box<dyn std::error::Error>> {
     let args = Args::parse();
 
+    // Detect and handle sudo context FIRST, before any file operations
+    let sudo_context = SudoContext::detect();
+    if let Some(ref ctx) = sudo_context {
+        // Drop privileges immediately so all files are created with correct ownership
+        ctx.drop_privileges()
+            .map_err(|e| format!("Failed to drop privileges: {}", e))?;
+    }
+
     // Determine verbosity level from DEVENV_CMDLINE
     let mut verbosity = if let Ok(cmdline) = env::var("DEVENV_CMDLINE") {
         let cmdline = cmdline.to_lowercase();
@@ -51,14 +67,39 @@ async fn main() -> Result<(), Box<dyn std::error::Error>> {
         }
 
     match args.command {
-        Command::Run { roots, mode } => {
-            let tasks_json = env::var("DEVENV_TASKS")?;
-            let tasks: Vec<TaskConfig> = serde_json::from_str(&tasks_json)?;
+        Command::Run {
+            roots,
+            mode,
+            task_file,
+        } => {
+            let tasks: Vec<TaskConfig> = {
+                let task_source = || {
+                    task_file
+                        .as_ref()
+                        .map(|p| format!("tasks file at {}", p.display()))
+                        .unwrap_or_else(|| "DEVENV_TASKS".to_string())
+                };
 
+                let data = env::var("DEVENV_TASKS").or_else(|_| {
+                    task_file
+                        .as_ref()
+                        .ok_or_else(|| {
+                            "No task file specified and DEVENV_TASKS environment variable not set"
+                                .to_string()
+                        })
+                        .and_then(|path| {
+                            fs::read_to_string(path)
+                                .map_err(|e| format!("Failed to read {}: {e}", task_source()))
+                        })
+                })?;
+                serde_json::from_str(&data)
+                    .map_err(|e| format!("Failed to parse {} as JSON: {e}", task_source()))?
+            };
             let config = Config {
                 tasks,
                 roots,
                 run_mode: mode,
+                sudo_context: sudo_context.clone(),
             };
 
             // Create a global signal handler
diff --git a/devenv-tasks/src/privileges.rs b/devenv-tasks/src/privileges.rs
@@ -0,0 +1,43 @@
+use std::env;
+use nix::unistd::{Uid, Gid, setuid, setgid, geteuid};
+
+/// Context information about the original user when running under sudo
+#[derive(Debug, Clone)]
+pub struct SudoContext {
+    pub user: String,
+    pub uid: Uid,
+    pub gid: Gid,
+}
+
+impl SudoContext {
+    /// Detect if we're running under sudo and extract the original user context
+    pub fn detect() -> Option<Self> {
+        // Only if we're running as root AND have SUDO_USER set
+        if !geteuid().is_root() {
+            return None;
+        }
+        
+        let user = env::var("SUDO_USER").ok()?;
+        let uid = env::var("SUDO_UID").ok()?.parse().ok()?;
+        let gid = env::var("SUDO_GID").ok()?.parse().ok()?;
+        
+        Some(SudoContext {
+            user,
+            uid: Uid::from_raw(uid),
+            gid: Gid::from_raw(gid),
+        })
+    }
+    
+    /// Drop privileges to the original user
+    /// 
+    /// # Important
+    /// Order matters: we must set GID first, then UID, because once we drop 
+    /// UID privileges we can't change GID anymore.
+    pub fn drop_privileges(&self) -> Result<(), nix::Error> {
+        // Set group ID first
+        setgid(self.gid)?;
+        // Then set user ID
+        setuid(self.uid)?;
+        Ok(())
+    }
+}
diff --git a/devenv-tasks/src/task_state.rs b/devenv-tasks/src/task_state.rs
@@ -1,6 +1,7 @@
 use crate::config::TaskConfig;
 use crate::task_cache::{TaskCache, expand_glob_patterns};
 use crate::types::{Output, Skipped, TaskCompleted, TaskFailure, TaskStatus, VerbosityLevel};
+use crate::SudoContext;
 use miette::{IntoDiagnostic, Result, WrapErr};
 use std::collections::BTreeMap;
 use std::process::Stdio;
@@ -18,19 +19,22 @@ pub struct TaskState {
     pub status: TaskStatus,
     pub verbosity: VerbosityLevel,
     pub cancellation_token: Option<CancellationToken>,
+    pub sudo_context: Option<SudoContext>,
 }
 
 impl TaskState {
     pub fn new(
         task: TaskConfig,
         verbosity: VerbosityLevel,
         cancellation_token: Option<CancellationToken>,
+        sudo_context: Option<SudoContext>,
     ) -> Self {
         Self {
             task,
             status: TaskStatus::Pending,
             verbosity,
             cancellation_token,
+            sudo_context,
         }
     }
 
@@ -71,7 +75,18 @@ impl TaskState {
         cmd: &str,
         outputs: &BTreeMap<String, serde_json::Value>,
     ) -> Result<(Command, tempfile::NamedTempFile)> {
-        let mut command = Command::new(cmd);
+        // If we dropped privileges but have sudo context, restore sudo for the task
+        let mut command = if let Some(_ctx) = &self.sudo_context {
+            // Wrap with sudo to restore elevated privileges
+            let mut sudo_cmd = Command::new("sudo");
+            // Use -E to preserve environment variables
+            sudo_cmd.args(["-E", cmd]);
+            sudo_cmd
+        } else {
+            // Normal execution - no sudo involved
+            Command::new(cmd)
+        };
+        
         command.stdout(Stdio::piped()).stderr(Stdio::piped());
 
         // Set working directory if specified
diff --git a/devenv-tasks/src/tasks.rs b/devenv-tasks/src/tasks.rs
@@ -90,6 +90,7 @@ impl TasksBuilder {
                 task,
                 self.verbosity,
                 self.cancellation_token.clone(),
+                self.config.sudo_context.clone(),
             ))));
             task_indices.insert(name, index);
         }
diff --git a/devenv/src/devenv.rs b/devenv/src/devenv.rs
@@ -789,6 +789,7 @@ impl Devenv {
             roots,
             tasks,
             run_mode,
+            sudo_context: None,
         };
         debug!(
             "Tasks config: {}",
diff --git a/src/modules/process-managers/process-compose.nix b/src/modules/process-managers/process-compose.nix
@@ -124,6 +124,17 @@ in
         version = lib.mkDefault "0.5";
         is_strict = lib.mkDefault true;
         log_location = lib.mkDefault "${config.env.DEVENV_STATE}/process-compose/process-compose.log";
+        shell = {
+          shell_command = lib.mkDefault (lib.getExe pkgs.bashInteractive);
+          shell_argument = lib.mkDefault "-c";
+          elevated_shell_command = lib.mkDefault "sudo";
+          # Pass-through environment variables required by devenv-tasks when using elevated processes.
+          elevated_shell_argument = lib.mkDefault (lib.concatStringsSep " " [
+            "DEVENV_DOTFILE=${config.env.DEVENV_DOTFILE}"
+            "DEVENV_TASK_FILE=${config.env.DEVENV_TASK_FILE}"
+            "-S"
+          ]);
+        };
         processes = lib.mapAttrs
           (name: value:
             let
diff --git a/src/modules/processes.nix b/src/modules/processes.nix
@@ -152,7 +152,7 @@ in
 
     procfile =
       pkgs.writeText "procfile" (lib.concatStringsSep "\n"
-        (lib.mapAttrsToList (name: process: "${name}: exec ${config.task.package}/bin/devenv-tasks run --mode all devenv:processes:${name}")
+        (lib.mapAttrsToList (name: process: "${name}: exec ${config.task.package}/bin/devenv-tasks run --tasks-file ${config.task.config} --mode all --devenv:processes:${name}")
           config.processes));
 
     procfileEnv =
diff --git a/src/modules/services/postgres.nix b/src/modules/services/postgres.nix
@@ -430,7 +430,7 @@ in
           # pg_isready does not distinguish between a server that is ready and one that's being initialized by initdb.
           exec.command = ''
             if [[ -f "$PGDATA/.devenv_initialized" ]]; then
-              ${postgresPkg}/bin/pg_isready -d template1 && \\
+              ${postgresPkg}/bin/pg_isready -d template1 && \
               ${postgresPkg}/bin/psql -c "SELECT 1" template1 > /dev/null 2>&1
             else
               echo "Waiting for PostgreSQL initialization to complete..." 2>&1
diff --git a/src/modules/tasks.nix b/src/modules/tasks.nix
@@ -165,8 +165,6 @@ in
   };
 
   config = {
-    env.DEVENV_TASKS = builtins.toJSON tasksJSON;
-
     assertions = [
       {
         assertion = lib.all (task: task.package.meta.mainProgram == "bash" || task.binary == "bash" || task.exports == [ ]) (lib.attrValues config.tasks);
@@ -178,13 +176,15 @@ in
       }
     ];
 
+    env.DEVENV_TASKS = builtins.toJSON tasksJSON;
+    env.DEVENV_TASK_FILE = config.task.config;
+    task.config = (pkgs.formats.json { }).generate "tasks.json" tasksJSON;
+
     infoSections."tasks" =
       lib.mapAttrsToList
         (name: task: "${name}: ${task.description} (${if task.command == null then "no command" else task.command})")
         config.tasks;
 
-    task.config = (pkgs.formats.json { }).generate "tasks.json" tasksJSON;
-
     tasks = {
       "devenv:enterShell" = {
         description = "Runs when entering the shell";

Original file line number	Diff line number	Diff line change
`@@ -90,6 +90,7 @@ impl TasksBuilder {`
`90`	`90`	`task,`
`91`	`91`	`self.verbosity,`
`92`	`92`	`self.cancellation_token.clone(),`
	`93`	`+ self.config.sudo_context.clone(),`
`93`	`94`	`))));`
`94`	`95`	`task_indices.insert(name, index);`
`95`	`96`	`}`