rely on setcap rather than setuid/setgid
This commit is contained in:
parent
f30a09097d
commit
8373a55501
10
tlsserver.go
10
tlsserver.go
@ -15,8 +15,11 @@ var (
|
||||
cfile = flag.String("cert", "cert.pem", "Certificate file in PEM format")
|
||||
kfile = flag.String("key", "key.pem", "Key file in PEM format")
|
||||
port = flag.Int("port", 1234, "Port to bind to")
|
||||
/*
|
||||
Rather than using setuid/setgid we rely on setcap CAP_NET_BIND_SERVICE
|
||||
uid = flag.Int("uid", -1, "UID to run under")
|
||||
gid = flag.Int("gid", -1, "GID to run under")
|
||||
*/
|
||||
args []string
|
||||
nargs int
|
||||
)
|
||||
@ -53,6 +56,11 @@ func main() {
|
||||
}
|
||||
defer sock.Close()
|
||||
|
||||
/*
|
||||
The right way to handle/drop privileges is to start with a
|
||||
low-privileged user and use setcap CAP_NET_BIND_SERVICE on the
|
||||
binary to allow for the listen-operation.
|
||||
|
||||
// set uid/gid
|
||||
if *gid >= 0 {
|
||||
err := setgid(*gid) // syscall.Setgid(*gid)
|
||||
@ -69,6 +77,7 @@ func main() {
|
||||
os.Exit(4)
|
||||
}
|
||||
}
|
||||
*/
|
||||
|
||||
// accept-loop
|
||||
for {
|
||||
@ -91,6 +100,7 @@ func handleConnection(conn net.Conn) {
|
||||
cmd.Stdin = conn
|
||||
cmd.Stdout = conn
|
||||
cmd.Stderr = os.Stderr
|
||||
cmd.SysProcAttr = &syscall.SysProcAttr{}
|
||||
|
||||
// prepare environment according to tcp-environ(5)
|
||||
lh, lp, err := net.SplitHostPort(conn.LocalAddr().String())
|
||||
|
Loading…
Reference in New Issue
Block a user