示例#1
0
func DropPrivileges(username string) error {
	userInfo, err := user.Lookup(username)
	if err != nil {
		return err
	}

	uid, err := strconv.Atoi(userInfo.Uid)
	if err != nil {
		return err
	}

	gid, err := strconv.Atoi(userInfo.Gid)
	if err != nil {
		return err
	}

	// TODO: should set secondary groups too
	err = unix.Setgroups([]int{gid})
	if err != nil {
		return err
	}

	err = unix.Setregid(gid, gid)
	if err != nil {
		return err
	}

	err = unix.Setreuid(uid, uid)
	if err != nil {
		return err
	}

	return nil
}
示例#2
0
func main() {
	flag.Parse()

	Info.Pid = os.Getpid()
	Info.Uid = -1
	Info.Gid = -1
	Info.Version = jetpack.Version()

	if host, err := jetpack.NewHost(); err != nil {
		log.Fatalln("Error initializing host:", err)
	} else {
		Host = host
	}

	if hostip, _, err := Host.HostIP(); err != nil {
		panic(err)
	} else {
		Info.IP = hostip.String()
	}
	Info.Port = jetpack.Config().MustGetInt("mds.port")

	if s, err := hex.DecodeString(jetpack.Config().MustGet("mds.signing-key")); err != nil {
		panic(err)
	} else {
		SigningKey = s
	}

	switch lfPath, _ := jetpack.Config().Get("mds.logfile"); lfPath {
	case "-", "":
		log.SetOutput(os.Stderr)
	case "none", "/dev/null":
		log.SetOutput(ioutil.Discard)
	default:
		if lf, err := os.OpenFile(lfPath, os.O_WRONLY|os.O_APPEND|os.O_CREATE, 0640); err != nil {
			log.Fatalf("Cannot open log file %#v: %v", lfPath, err)
		} else {
			log.SetOutput(lf)
			defer lf.Close()
		}
	}

	if pfPath, ok := jetpack.Config().Get("mds.pidfile"); ok {
		if err := ioutil.WriteFile(pfPath, []byte(fmt.Sprintln(os.Getpid())), 0644); err != nil {
			log.Fatalf("Cannot write pidfile %#v: %v", pfPath, err)
		}
	}

	addr := fmt.Sprintf("%v:%d", Info.IP, Info.Port)
	listener, err := net.Listen("tcp", addr)
	if err != nil {
		log.Fatalf("Cannot listen on %v: %v", addr, err)
	}

	if !jetpack.Config().GetBool("mds.keep-uid", false) {
		uid, gid := jetpack.MDSUidGid()
		if err := unix.Setgroups(nil); err != nil {
			log.Fatal("Cannot clear groups:", err)
		}
		if err := unix.Setresgid(gid, gid, gid); err != nil {
			log.Fatal("Cannot drop gid:", err)
		}
		if err := unix.Setresuid(uid, uid, uid); err != nil {
			log.Fatal("Cannot drop uid:", err)
		}
	}

	Info.Uid = os.Getuid()
	Info.Gid = os.Getgid()

	log.Println("Listening on:", addr)
	log.Fatal(http.Serve(listener, http.HandlerFunc(ServeMetadata)))
}
示例#3
0
func main() {
	flag.IntVar(&JID, "jid", -1, "Jail ID")
	flag.IntVar(&Uid, "uid", 0, "User to run as")
	flag.IntVar(&Gid, "gid", 0, "Group to run as")
	flag.StringVar(&AppName, "app", "", "Application name")
	flag.StringVar(&WorkingDirectory, "cwd", "/", "Working directory")
	flag.StringVar(&MetadataURL, "mds", "", "Metadata server URL")
	flag.Var(&Env, "setenv", "Environment variables")

	flag.Parse()
	Exec = flag.Args()

	// TODO: sanity check?

	if err := JailAttach(JID); err != nil {
		panic(err)
	}

	if err := unix.Chroot(filepath.Join("/app", AppName, "rootfs")); err != nil {
		panic(err)
	}

	if err := os.Chdir(WorkingDirectory); err != nil {
		panic(err)
	}

	if _, ok := Env["PATH"]; !ok {
		Env["PATH"] = "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
	}

	if _, ok := Env["TERM"]; !ok {
		term := os.Getenv("TERM")
		if term == "" {
			term = "vt100"
		}
		Env["TERM"] = term
	}

	Env["AC_APP_NAME"] = AppName
	Env["AC_METADATA_URL"] = MetadataURL

	envv := make([]string, 0, len(Env))
	for k, v := range Env {
		envv = append(envv, k+"="+v)
	}

	if err := unix.Setgroups([]int{}); err != nil {
		panic(err)
	}

	if err := unix.Setregid(Gid, Gid); err != nil {
		panic(err)
	}

	if err := unix.Setreuid(Uid, Uid); err != nil {
		panic(err)
	}

	// FIXME: setusercontext()?
	// See https://github.com/freebsd/freebsd/blob/master/usr.sbin/jexec/jexec.c#L123-L126

	os.Clearenv()

	if err := syscall.Exec(Exec[0], Exec, envv); err != nil {
		panic(err)
	}
}