func dropPrivileges(UID, GID int, chrootDir string) (chrootErr error, err error) {
if (UID <= 0) != (GID <= 0) {
return nil, errors.New("either both or neither UID and GID must be set to positive (i.e. valid, non-root) values")
}
var gids []int
if UID > 0 {
gids, err = passwd.GetExtraGIDs(GID)
if err != nil {
return nil, err
}
gids = append(gids, GID)
}
chrootErr = tryChroot(chrootDir)
if UID > 0 {
err = tryDropPrivileges(UID, GID, gids)
if err != nil {
return
}
}
return
}
func dropPrivileges(UID, GID int, chrootDir string) (chrootErr error, err error) {
if (UID == -1) != (GID == -1) {
return nil, errors.New("either both or neither UID and GID must be -1")
}
if isRoot() {
if UID <= 0 || GID <= 0 {
return nil, errors.New("must specify UID/GID when running as root")
}
}
var gids []int
if UID != -1 {
gids, err = passwd.GetExtraGIDs(GID)
if err != nil {
return nil, err
}
}
chrootErr = tryChroot(chrootDir)
gids = append(gids, GID)
err = tryDropPrivileges(UID, GID, gids)
if err == errZeroUID {
return
} else if err != nil {
if caps.PlatformSupportsCaps {
// We can't setuid, so maybe we only have a few caps.
// Drop them.
err = caps.Drop()
if err != nil {
err = fmt.Errorf("cannot drop caps: %v", err)
}
}
}
return
}