Example #1
0
func dropPrivileges(UID, GID int, chrootDir string) (chrootErr error, err error) {
	if (UID <= 0) != (GID <= 0) {
		return nil, errors.New("either both or neither UID and GID must be set to positive (i.e. valid, non-root) values")
	}

	var gids []int
	if UID > 0 {
		gids, err = passwd.GetExtraGIDs(GID)
		if err != nil {
			return nil, err
		}

		gids = append(gids, GID)
	}

	chrootErr = tryChroot(chrootDir)

	if UID > 0 {
		err = tryDropPrivileges(UID, GID, gids)
		if err != nil {
			return
		}
	}

	return
}
Example #2
0
func dropPrivileges(UID, GID int, chrootDir string) (chrootErr error, err error) {
	if (UID == -1) != (GID == -1) {
		return nil, errors.New("either both or neither UID and GID must be -1")
	}

	if isRoot() {
		if UID <= 0 || GID <= 0 {
			return nil, errors.New("must specify UID/GID when running as root")
		}
	}

	var gids []int
	if UID != -1 {
		gids, err = passwd.GetExtraGIDs(GID)
		if err != nil {
			return nil, err
		}
	}

	chrootErr = tryChroot(chrootDir)

	gids = append(gids, GID)

	err = tryDropPrivileges(UID, GID, gids)
	if err == errZeroUID {
		return
	} else if err != nil {
		if caps.PlatformSupportsCaps {
			// We can't setuid, so maybe we only have a few caps.
			// Drop them.
			err = caps.Drop()
			if err != nil {
				err = fmt.Errorf("cannot drop caps: %v", err)
			}
		}
	}

	return
}