1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
|
package main
import (
"crypto/tls"
"flag"
"fmt"
"log"
"net"
"os"
"os/exec"
"syscall"
)
var (
cfile = flag.String("cert", "cert.pem", "Certificate file in PEM format")
kfile = flag.String("key", "key.pem", "Key file in PEM format")
port = flag.Int("port", 1234, "Port to bind to")
/*
Rather than using setuid/setgid we rely on setcap CAP_NET_BIND_SERVICE
uid = flag.Int("uid", -1, "UID to run under")
gid = flag.Int("gid", -1, "GID to run under")
*/
args []string
nargs int
)
func main() {
flag.Parse()
args = flag.Args()
nargs = flag.NArg()
if nargs < 1 {
fmt.Println("Usage: tlsserver [options] cmd [flags for cmd]")
fmt.Println("options:")
flag.PrintDefaults()
os.Exit(1)
}
// setup certs etc. for TLS-socket
tconf := new(tls.Config)
cert, err := tls.LoadX509KeyPair(*cfile, *kfile)
if err != nil {
fmt.Println("error with certs:", err)
os.Exit(2)
}
tconf.Certificates = append(tconf.Certificates, cert)
tconf.BuildNameToCertificate()
// start listening
sport := fmt.Sprintf(":%d", *port)
sock, err := tls.Listen("tcp", sport, tconf)
if err != nil {
fmt.Println("error with tcp-socket:", err)
os.Exit(3)
}
defer sock.Close()
/*
The right way to handle/drop privileges is to start with a
low-privileged user and use setcap CAP_NET_BIND_SERVICE on the
binary to allow for the listen-operation.
// set uid/gid
if *gid >= 0 {
err := setgid(*gid) // syscall.Setgid(*gid)
if err != nil {
fmt.Println("Couldn't setgid to", *gid, ":", err)
os.Exit(4)
}
}
if *uid >= 0 {
err := setuid(*uid) // syscall.Setuid(*uid)
if err != nil {
fmt.Println("Couldn't setuid to", *uid, ":", err)
os.Exit(4)
}
}
*/
// accept-loop
for {
conn, err := sock.Accept()
if err != nil {
log.Println("error during Accept()", err)
continue
}
log.Println("Got connection:", conn.RemoteAddr())
go handleConnection(conn)
}
}
func handleConnection(conn net.Conn) {
defer conn.Close()
// setup cmd
cmd := exec.Command(args[0])
cmd.Args = args
cmd.Stdin = conn
cmd.Stdout = conn
cmd.Stderr = os.Stderr
cmd.SysProcAttr = &syscall.SysProcAttr{}
// prepare environment according to tcp-environ(5)
lh, lp, err := net.SplitHostPort(conn.LocalAddr().String())
if err != nil {
log.Println(err)
return
}
rh, rp, err := net.SplitHostPort(conn.LocalAddr().String())
if err != nil {
log.Println(err)
return
}
cmd.Env = make([]string, 0)
cmd.Env = append(cmd.Env, "PATH="+os.Getenv("PATH"))
cmd.Env = append(cmd.Env, "PROTO=TCP")
cmd.Env = append(cmd.Env, "TCPLOCALIP="+lh)
cmd.Env = append(cmd.Env, "TCPLOCALPORT="+lp)
cmd.Env = append(cmd.Env, "TCPREMOTEIP="+rh)
cmd.Env = append(cmd.Env, "TCPREMOTEPORT="+rp)
err = cmd.Run()
if err != nil {
log.Println("after Run: ", err)
}
log.Println("Done with connection", conn.RemoteAddr())
}
// Since go1.4 the setgid syscall is deliberatelly not supported anymore, as it
// only applies to the calling thread. So we try this here:
func setgid(gid int) error {
// RawSyscall(trap, a1, a2, a3 uintptr) (r1, r2 uintptr, err Errno)
_, _, e := syscall.RawSyscall(syscall.SYS_SETGID, uintptr(gid), 0, 0)
if e != 0 {
return fmt.Errorf(e.Error())
}
return nil
}
func setuid(uid int) error {
// RawSyscall(trap, a1, a2, a3 uintptr) (r1, r2 uintptr, err Errno)
_, _, e := syscall.RawSyscall(syscall.SYS_SETUID, uintptr(uid), 0, 0)
if e != 0 {
return fmt.Errorf(e.Error())
}
return nil
}
|
