150 lines
3.4 KiB
Go
150 lines
3.4 KiB
Go
package main
|
|
|
|
import (
|
|
"crypto/tls"
|
|
"flag"
|
|
"fmt"
|
|
"log"
|
|
"net"
|
|
"os"
|
|
"os/exec"
|
|
"syscall"
|
|
)
|
|
|
|
var (
|
|
cfile = flag.String("cert", "cert.pem", "Certificate file in PEM format")
|
|
kfile = flag.String("key", "key.pem", "Key file in PEM format")
|
|
port = flag.Int("port", 1234, "Port to bind to")
|
|
/*
|
|
Rather than using setuid/setgid we rely on setcap CAP_NET_BIND_SERVICE
|
|
uid = flag.Int("uid", -1, "UID to run under")
|
|
gid = flag.Int("gid", -1, "GID to run under")
|
|
*/
|
|
args []string
|
|
nargs int
|
|
)
|
|
|
|
func main() {
|
|
|
|
flag.Parse()
|
|
args = flag.Args()
|
|
nargs = flag.NArg()
|
|
if nargs < 1 {
|
|
fmt.Println("Usage: tlsserver [options] cmd [flags for cmd]")
|
|
fmt.Println("options:")
|
|
flag.PrintDefaults()
|
|
os.Exit(1)
|
|
}
|
|
|
|
// setup certs etc. for TLS-socket
|
|
tconf := new(tls.Config)
|
|
cert, err := tls.LoadX509KeyPair(*cfile, *kfile)
|
|
if err != nil {
|
|
fmt.Println("error with certs:", err)
|
|
os.Exit(2)
|
|
}
|
|
|
|
tconf.Certificates = append(tconf.Certificates, cert)
|
|
tconf.BuildNameToCertificate()
|
|
|
|
// start listening
|
|
sport := fmt.Sprintf(":%d", *port)
|
|
sock, err := tls.Listen("tcp", sport, tconf)
|
|
if err != nil {
|
|
fmt.Println("error with tcp-socket:", err)
|
|
os.Exit(3)
|
|
}
|
|
defer sock.Close()
|
|
|
|
/*
|
|
The right way to handle/drop privileges is to start with a
|
|
low-privileged user and use setcap CAP_NET_BIND_SERVICE on the
|
|
binary to allow for the listen-operation.
|
|
|
|
// set uid/gid
|
|
if *gid >= 0 {
|
|
err := setgid(*gid) // syscall.Setgid(*gid)
|
|
if err != nil {
|
|
fmt.Println("Couldn't setgid to", *gid, ":", err)
|
|
os.Exit(4)
|
|
}
|
|
}
|
|
|
|
if *uid >= 0 {
|
|
err := setuid(*uid) // syscall.Setuid(*uid)
|
|
if err != nil {
|
|
fmt.Println("Couldn't setuid to", *uid, ":", err)
|
|
os.Exit(4)
|
|
}
|
|
}
|
|
*/
|
|
|
|
// accept-loop
|
|
for {
|
|
conn, err := sock.Accept()
|
|
if err != nil {
|
|
log.Println("error during Accept()", err)
|
|
continue
|
|
}
|
|
log.Println("Got connection:", conn.RemoteAddr())
|
|
go handleConnection(conn)
|
|
}
|
|
}
|
|
|
|
func handleConnection(conn net.Conn) {
|
|
defer conn.Close()
|
|
|
|
// setup cmd
|
|
cmd := exec.Command(args[0])
|
|
cmd.Args = args
|
|
cmd.Stdin = conn
|
|
cmd.Stdout = conn
|
|
cmd.Stderr = os.Stderr
|
|
cmd.SysProcAttr = &syscall.SysProcAttr{}
|
|
|
|
// prepare environment according to tcp-environ(5)
|
|
lh, lp, err := net.SplitHostPort(conn.LocalAddr().String())
|
|
if err != nil {
|
|
log.Println(err)
|
|
return
|
|
}
|
|
rh, rp, err := net.SplitHostPort(conn.LocalAddr().String())
|
|
if err != nil {
|
|
log.Println(err)
|
|
return
|
|
}
|
|
cmd.Env = make([]string, 0)
|
|
cmd.Env = append(cmd.Env, "PATH="+os.Getenv("PATH"))
|
|
cmd.Env = append(cmd.Env, "PROTO=TCP")
|
|
cmd.Env = append(cmd.Env, "TCPLOCALIP="+lh)
|
|
cmd.Env = append(cmd.Env, "TCPLOCALPORT="+lp)
|
|
cmd.Env = append(cmd.Env, "TCPREMOTEIP="+rh)
|
|
cmd.Env = append(cmd.Env, "TCPREMOTEPORT="+rp)
|
|
|
|
err = cmd.Run()
|
|
if err != nil {
|
|
log.Println("after Run: ", err)
|
|
}
|
|
log.Println("Done with connection", conn.RemoteAddr())
|
|
}
|
|
|
|
// Since go1.4 the setgid syscall is deliberatelly not supported anymore, as it
|
|
// only applies to the calling thread. So we try this here:
|
|
func setgid(gid int) error {
|
|
// RawSyscall(trap, a1, a2, a3 uintptr) (r1, r2 uintptr, err Errno)
|
|
_, _, e := syscall.RawSyscall(syscall.SYS_SETGID, uintptr(gid), 0, 0)
|
|
if e != 0 {
|
|
return fmt.Errorf(e.Error())
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func setuid(uid int) error {
|
|
// RawSyscall(trap, a1, a2, a3 uintptr) (r1, r2 uintptr, err Errno)
|
|
_, _, e := syscall.RawSyscall(syscall.SYS_SETUID, uintptr(uid), 0, 0)
|
|
if e != 0 {
|
|
return fmt.Errorf(e.Error())
|
|
}
|
|
return nil
|
|
}
|