From 63fc1ffd0e6050b8a7bc47776ed0513b15aaf7d5 Mon Sep 17 00:00:00 2001
From: L0m1g <erminig@lomig.me>
Date: Sat, 3 May 2025 16:11:28 +0200
Subject: [PATCH] Fix: unlock database

---
 .gitignore                 |   1 +
 Dockerfile                 |   4 +++-
 erminig/models/db.py       |   8 ++++++++
 erminig/system/security.py |  11 +++++------
 lib/erminig.db             | Bin 49152 -> 0 bytes
 5 files changed, 17 insertions(+), 7 deletions(-)
 delete mode 100644 lib/erminig.db

diff --git a/.gitignore b/.gitignore
index 9f81dd8..cefb59e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,3 +5,4 @@ __pycache__/
 *.egg-info/
 .pytest_cache/
 *.log
+lib/erminig.db
diff --git a/Dockerfile b/Dockerfile
index 508e3c8..6e6c1eb 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -4,7 +4,9 @@ RUN dnf -y update && \
     dnf -y install python3 python3-pip sqlite tar zstd git bash && \
     dnf clean all
 
-RUN mkdir -p /var/lib/erminig /var/cache/erminig /opt/erminig
+RUN useradd -r -s /sbin/nologin -d /var/lib/erminig pak && \
+    mkdir -p /var/lib/erminig /var/cache/erminig /opt/erminig && \
+    chown -R pak:pak /var/lib/erminig /var/cache/erminig /opt/erminig
 
 COPY . /opt/erminig
 
diff --git a/erminig/models/db.py b/erminig/models/db.py
index dde81c8..3fd0cc9 100644
--- a/erminig/models/db.py
+++ b/erminig/models/db.py
@@ -7,6 +7,8 @@
 # Libre comme l’air, stable comme un menhir, et salé comme le beurre.
 #
 
+import os
+import pwd
 import sqlite3
 from erminig.config import Config
 
@@ -20,6 +22,12 @@ def init_db():
         conn.executescript(f.read())
     conn.commit()
     conn.close()
+    # Attribution au user pak
+    pak_uid = pwd.getpwnam("pak").pw_uid
+    pak_gid = pwd.getpwnam("pak").pw_gid
+    os.chown(Config.DB_PATH, pak_uid, pak_gid)
+    os.chmod(Config.DB_PATH, 0o664)
+
     print("Base erminig.db initialisée avec succès.")
 
 
diff --git a/erminig/system/security.py b/erminig/system/security.py
index a2ff43d..98bc2f1 100644
--- a/erminig/system/security.py
+++ b/erminig/system/security.py
@@ -39,9 +39,9 @@ def run_as_user(username):
             try:
                 pid = os.fork()
                 if pid > 0:
-                    # Parent
+                    # Parent : attendre le child, ne pas exit, juste return proprement
                     _, status = os.waitpid(pid, 0)
-                    return os.WEXITSTATUS(status)
+                    return status >> 8  # récupère le code retour du fils (comme exit code)
 
                 # Child
                 pw_record = pwd.getpwnam(username)
@@ -51,14 +51,13 @@ def run_as_user(username):
                 os.setgid(user_gid)
                 os.setuid(user_uid)
 
-                # Exécuter la fonction sous l'utilisateur demandé
                 result = func(*args, **kwargs)
-                sys.exit(0 if result is None else int(bool(result)))
+                os._exit(0 if result is None else int(bool(result)))
 
             except OSError as e:
                 print(f"[SECURITY] Fork échoué : {e}")
-                sys.exit(1)
+                os._exit(1)
 
         return wrapper
 
-    return decorator
+    return decorator
\ No newline at end of file
diff --git a/lib/erminig.db b/lib/erminig.db
deleted file mode 100644
index 25fdf4972ca3abcb1e03e9f4b74d49d1e963a6c0..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 49152
zcmWFz^vNtqRY=P(%1ta$FlG>7U}R))P*7lCVBlt8VBldu01gHQ1{MUDff0#~i^<KP
zR~N<0|AT>>HJ5?+DgRO4$vn;6+B`v=k2s3hGg%+8=Hk*iDn1$lqaiRF0>dZ-in-av
zO=TGy6*KcvQY$i3D&k8Eic5-86LaIsQj3Z+^YfroF^_YQt7C|(La3i-V5qBtr=N>!
zgaS4V3jTfyFije8(=t<ZV4|AMEL`m3>gtTG?j?yyIjMR1C7EfN$%!SI`FX`C9B!zc
zA&yQyt_mnp3L0Dr3JMCDDGHu`A+GMOK?(sup1zJjkqX|fkqVBXA^x6z&Oxreu6`jp
zV3m1^xv2^vt`Q*$e*Pf}exW`-5OJteu}PH{<zN#oE=epYEr!UrxVkxp`h+N`7o_H;
zWag!->nP~zBJ<RXQ}asHbrjUo5;JpBQ`Et3$w@3OiBBvkNzE-NQ3&z$bqx-2^bODf
zc?g7cbrk~gON$hW6U*{5ixdh=6Z29O^79lD6-rX`N)E47$VpU4NiE9DJiMX^R8eLY
zgH25?N=+<DO^HuLGE)KOK<Ch)AXmSTc(`p`noVq+?Bb%LjLrGrXedf8$OmCAlt2fG
zkQ~+piOJcC>8bHZu|ssA7bKQsfWsCNJ&7qPM0*LM!_7a))zjS%oDMV)F40s7a&>bJ
za`kg|4OV~(7i(muXmV*b<#Mo#OG+}fnt}r&sWdYur5HkTq67v+jIO~^lv<Vv%7)+|
zK})*G3DMcZ)!ADED&py<prKw|nw*?kTntNlAR3lPH8mkY1@aFlAtKTs?(_oDk&~Yu
zj}}8@gtr?zySTJ8V@onPyi-y^?ka{-94H|U6{LQULk*74&x02rs7bV>vH)6MK!O&`
z2M26XX<kWYZYn51K>?ToVkBpzCTFX|!j;q@frKrJE`<B=C0rF&c5zu*#ujOCK*CZr
zjAla#N|-3gVTmX?A!R?rwMZp9ECeAE$)!a_sd*)^`U9yDfXJhG6Uh`5f5ODUITVXN
zOiNI-Lko4VZZ1uIHa2l*Sw;qM9amhKlUb4)pIBOw59Y_i!X@4i#$s>cWdVn4b1pbs
zVWz=oR+MmsiIN<yFh3%N5LyO@8V%0-kU)S{Ne~`sB|bzC>A}yX8NkdYuC2`&2@VZt
z02ZefmZs(<r=oFLP{IaHQUjEfbc$08HJf7@*~R7M8QVF*X2OD^7|viqF$XS8av+0j
z1cx6yXrV0_NN9j_HMmuPp35^zN(w+ZJ3X@`qcjP`D$Xx0N={A7FG^2U*VKfY2Qdg9
zF`x<@f^~HjoDz#u6+(l26!J?I+%ro&N|O}86>5H|LRwB~g+fqpFu3Y205t}R@*oa{
zRoUP+3f!om)b!K}g#u8!z#}9i0AwOe7u4k9OogP>;{41!u#st*Igs)T-mCz%O#BN#
zt*pG%90e<dw9Mp;%+w-<w9LH39EH>hD~0srWL=eNXsWB#D@iQUtEd8-Mp{ba(llgZ
z6L*!zmF3{k8E*(@GBYqRfco<cybKHsDvUY|{GI&#d^7kIdAIR4^YZY_<I(5-$z9LQ
z%{7tp3ui5-3&%Z<CJqkvYwXL|t=VR?8L;kQ^<#O)Qo+K@JfGQw=_JzxCNaj<j5@=p
zwT|JHS``ikRnhct2IHK}ywVEY?9`&X)ErRK1>s^Vef{K=JUxi0UVc%!enDxHK3J(f
zL{PuXOs@hWq8n|XYZ<E@qlZqHBo@W!Ra6-n7@6uCnCKdrD;SzvnHpJ{nq?|;Fo=o<
zhB6rE7Niw{tOQ|@wdLjIdLS{dr67hbw8Yj2bI`4T@o`&Kp~S%;FB+K1V4RtkT2fk)
znNtk13xq-TrIi%urRSA`txL}<)rTuWu+aRcVQ&TVs-}GmD6PlnrDOA?xgrOHtfVF{
zgK=hJUZQSlNiw8J@XbuNG}4EOVGA7vQ0TbFGZ?2=Wfp*33c}c23zF9d5#+itQyy+r
zQE3v$8W6^6RZ(e@etJ=961i68$Z;@;i+Uz97^fHIr=@}H0b%TR<)@|TgO!nMTc#|+
zW2yMVuqd@aKfNfmfLyC`WZ)hvNG-zeF^~fNbP!3dZE4aR48o$Wu?)uPx%mB+TcDqw
zOTMq9;J(VqOiBht6$oREE|3EKbP!3duZko&7^FpgQyGlYQ%g!xD@s6ifiPD4AWHP1
zO3Ae|Qv#kuQj&5(mVq!<3saJE_0v<5a>=!-QC6IjL0Gg=+0ooMJsBe~a|<$cGxO5)
zatqS+Qd0GEGmDDyi;DF@<q?FfpPrlyFQ!06ae8vHeo<;pYGQF}F-Q{4VbB5!EQ3}r
zV=byO#o$4aSe^|E1`x&?6p7{8`ss<~*=RNrT`KB{axjQW%JVW9r{!dpKuW}d%7R3F
z5En~fXdnVouMAe7S^-gCo?2XzTCAUzlUjjAM};t~#81o2OCea|!xibnS>*aHN(dB;
zuFed`phgrZ2tgPWjETi1MfrJp$@#h9niM3h4<gWP0#_&4Ym*c~4hBi(T3!a@)QW=C
z<PxMtCCm~eA-%lR68(ar{49`4eTWYIqT*tEP#@e@-xX{GmasDy;9wA!)Q8xT2#ubc
z%%s$cg2WPi7z2yOQhp8wS<z5!XXDhIG>kBZxU4*}C>31Mf>JO{nSL}%>p>qTj^3V3
zsxrc2ZKD()Cxg6bBe%7)ajH>TaY0djI!gTxYEM8~EO47qnlS~b`2{(t`X!Ym#rgVh
z6ZFeaT?NZea0TeD!<wrqcwq@KB{K~(P|%wma7FrX7FzNkI+GRgz>3q9)U3qxyi!mS
z0bx*D#IP5lL?5b@TstecVZKeyFG|Ho0_e8F73srS<l1b)1xmD_h8B1<1yV+UY9r9t
ziauBjOVY{Z1XXb1p$x`JRhb1wpwIzfPzZq%4VEMeR;Ldp(VPlRAKG~GZw?2@I#BZ`
zDYG~~4`dYxgRDaj8n6O=Fo|Xl(FvfG9h4pY(;1ADGV=(=1x$@Tj6trohHM-Rg5V}^
z611_Ko>-QdmyutdSd^lll#C@BGFd@oCaAHSlvtbr3K9^;8Z3#$8Tuea<hrhu1r{iv
zL7d#g>{O6dAdJmAm>PW;gKTS=k*!V6&%@h91la~s1GW~#AlKRoCQ!iUhBFu^mXx6M
zu~PEO^K$YNQ}l`x%M$bQ5;NdU3wV<Pq(vV@;Iv&6)bqh!Rh2S=nyA^K491DcD1Ay|
zEKbhRPfX4s$678>|DUgpf&VA}2mZ(W*Z9x!ALHN2zn*_7|7`wV{zm>{{#5=5em{O^
zek*<*er0|senEateg?iTe6RQ(@!jA%&v%q>58r0KWqdRE>iGIGI?ba3qaiRF0;3@?
z8UmvsFd71*Aut*OqaiRF0;3@?8Umvsz#zb^$_O4=gwCa^a4?H9g61rhd70%I;nRvr
zJj}9;u(>})kQ&hRodTFqRGK8u$t=zYp7@f32&ERtf`vd+Ml$To!i?#;1=3&<&;XYd
zH?uS&bQ(kwtRW>SR|2doIawSmkXW8A24aAQ*F_<W)Cv)ho8ZIU!eHUdoKzt$W=TfK
zV6h;`4)Cb20LaC#QCWVFM))WwABYDZtmFkb20Dny1CoIc>~Vt(1CPUTfmq-XG)^!J
zG!(`GvH&*n#LmVn$e5JO267T;tcMjO2^tdt4cD;1IG}M6W{?ul5Csz(voL33at>(z
zpNao51OG?<$D;{yGz3ONU^E0qLtr!nMnhmU1V%$(Gz3ONU^E0qLtr!nMnho8h5!!}
zvn(TYn?bP(FC()&BYYo#3aJ0D!py?JzkuJC?*-pvJ}2JmyiL4@JU4kVc!at4ai?=V
z<7(j&<ebLo#qp7&jYFON275QV1=~xuIc)xHOswl!lUPMrX0y04e`4-uMm`^4$OhP`
z!$(#KG;*l0GcZavMjMM8n(7(q86dB2qQWv`h@s$h#SkX?Dj*95BO@yVQ!8VWL}jo`
zc#T!e^bAe(Okge{VPgqIBiIUzZ6wB4Mn*wOYz&Oz#m34edPaKS6?~wDT%gr^pn+HL
zf=>_wbqfhtEp9V|71<aVg)5DfjP%T4PDWp#2OrHv+9YD6X9hMDV<jlap%n`342-gk
z=EjPk6>tV72IerMA&V8k3xiSjg&>x9!&Xh{!}P-Uj_ATfaN2C>EziclD4K4pV5nyZ
zj{<c6fQFzU+ekpF@E9fsF-+b_&k!Em7>2<&ihxw%G|V7SmW_c?GT&IvP|wI1HK8JJ
z$N>+AL-&F}RN^+$TL$7jS!2BJgYEYKslsEJG$<it8p{~#8N*@=!>^!WdFXx)V?ASB
zh8bFVOMy~qs<E`09zMT9w`_nF;Wo@y66DQnV<{s&6GNO%1I-UWH)Vj-;WjQ%0%TmV
zv7~{X5$+^{w&wz*7N?OG-r^u5(~Ttz^^8n$x)8pr0;CGJVZLIZu*)<SGu1Oj<Z_It
zfNx9yE5mJEtSGo#Vl@^8$3MJ;M9PWq{RsMrMadbNWvTi_scFUfC5h?9`VdVxjW^E}
zVP{|zZ<IF{0hI{w@I*2lY4-w_OkM`o2HxAC3ufZBDqI*8Ftx_QCVFPLGZ1{52Wfu;
zSOac@y@Wu~muf6zs%HW(1aWR*04c(0mRY4BIJj+%1x@u#OcB)pWPLSwQ!Lia3ZUH)
z#n6ok`Vg(qeGCu|)JA<+=?E$ck#-pxTN#=a3V@?R-&nv%&s-0lQ;?zpwxI#OvjIzl
z1jQT0o5vf1EKe-a1)Bu58`DbD1b(oUyvF<ndWM$pas%R7?E4?U3K82Lz+A8em^&Vf
ztqe`;`M}}nY0PJ+XJU@X51?9)oQ)0;QxIDpbRhy@7htK&3{69ML5ZW<m=}~2aOG|I
zq#)8>29SE3#+n54fD&`5F^{318SVlXI=u+rs{mGv$53ui8D443ZK(&ZanTD7_$;M9
zoTY22XO7#@d@gVdXc}`F=oy+KVgNN=fu}nmn-8!gDu_;qv@V2$+rltTHU>uVYGY1A
zJp(-pSdfDv980<aPp(2YDS*}EG}qXl17vQlF^9391;QKX;RD`>0NsrMR*2I;qhNMW
z(kM4(H_|hKmwcG!K{g~HHXDFc<2E#t4V<OqjoHlg3=k;;DYQ}d7+?u)utxo)WL+==
zw^jbEpe9MSF{`Pbk)AQm6a$)<hHONDsKaTXVK56MKv)d*3~?F<o81Pl_y<jM>w;9{
zF_al%D6^5CInGuX$WYKMIoMDT15|Pu;Wjjp2^`A&#!N<fNNE~Yx)QZj0IU<I6$WvP
z><paZjoijY$n`ieHbD0Tfc4=r-@pvi|7Q>wS^d3H-;RdBXb6mkz-S1JhQMeDjE2By
z2#kinXb6mkz-S1JhQLS*0nq;c(f<EPi}g|ej)uT!2#kinXb6mkz-S1JhQMeDjE2By
z2#kinXb6n75Ez~RA89c@>fg~27!85Z5Eu=C(GVC7fzc2c4S~@R7!85Z5Eu=Ckr)D_
z{r`~|>!W@i4S~@R7!85Z5Eu=C(GVC7fzc2c4S~@R7!85Z5EyA8FxvkgX)!+P-_Z~l
z4S~@R7!85Z5Eu=C(GVC7fzc2c4S~@R7!84u7y_gH|B)E$qkbL@fzc2c4S~@R7!85Z
z5Eu=C(GVC7fzc2c4S~@R7-=B@I{#0FFM@&p8~-c*`}|k<kMr;5-@w0we+GXye<Ob>
ze-?i%e;~grzXiW8zaqaVKL_6*z6idLe9!o9^PT5A%D0PeE#D%(>3ki0b$ms9sUt1?
zM*TY)0;3@?8UmvsFd71*Aut*OqaiRF0;3@?8UiCd1bA2&B^jaDX{&%a&>O9lxmg&+
z86lTXD{-<g3NwN(jaKAiVU%TrU-YcN#lk4c2)=$<9?S$^o-7A82YU6fELa?TX|W90
z7|@l&(qO|O_XSIV6@ah%l>{@vSM^GOncypS#leap7vze8jfP%sD+-o?TtzDaW<xHE
z6$a}C-|s2}Ru8?MRS>KOa$l+dm<_qelpm}JdgUk|STp$kPhPMZ$eo=$V7G&=+T;eS
zhF*`!1y%yNyOI;khTJ#F0X7AERU|uD7;?WO8(1&&21Zt}8u0CjEMO-1&O>Ifa>zx6
NOq?v7;+)`{0RfsTR1p9G