From 7962c1bf6c8abdf27384b6a06cf03e1feffafd8d Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Thu, 2 Aug 2012 00:29:37 +0900 Subject: [PATCH] shrpx: drop root priviledgs after loading private key --- examples/shrpx.cc | 38 ++++++++++++++++++++++++-------------- 1 file changed, 24 insertions(+), 14 deletions(-) diff --git a/examples/shrpx.cc b/examples/shrpx.cc index 90aa205a..3618f407 100644 --- a/examples/shrpx.cc +++ b/examples/shrpx.cc @@ -202,6 +202,26 @@ evconnlistener* create_evlistener(ListenHandler *handler, int family) } } // namespace +namespace { +void drop_privileges() +{ + if(getuid() == 0 && get_config()->uid != 0) { + if(setgid(get_config()->gid) != 0) { + LOG(FATAL) << "Could not change gid: " << strerror(errno); + exit(EXIT_FAILURE); + } + if(setuid(get_config()->uid) != 0) { + LOG(FATAL) << "Could not change uid: " << strerror(errno); + exit(EXIT_FAILURE); + } + if(setuid(0) != -1) { + LOG(FATAL) << "Still have root privileges?"; + exit(EXIT_FAILURE); + } + } +} +} // namespace + namespace { int event_loop() { @@ -209,6 +229,10 @@ int event_loop() ListenHandler *listener_handler = new ListenHandler(evbase); + // ListenHandler loads private key. After that, we drop the root + // privileges if needed. + drop_privileges(); + evconnlistener *evlistener6, *evlistener4; evlistener6 = create_evlistener(listener_handler, AF_INET6); evlistener4 = create_evlistener(listener_handler, AF_INET); @@ -583,20 +607,6 @@ int main(int argc, char **argv) if(get_config()->pid_file) { save_pid(); } - if(getuid() == 0 && get_config()->uid != 0) { - if(setgid(get_config()->gid) != 0) { - LOG(FATAL) << "Could not change gid: " << strerror(errno); - exit(EXIT_FAILURE); - } - if(setuid(get_config()->uid) != 0) { - LOG(FATAL) << "Could not change uid: " << strerror(errno); - exit(EXIT_FAILURE); - } - if(setuid(0) != -1) { - LOG(FATAL) << "Still have root privileges?"; - exit(EXIT_FAILURE); - } - } struct sigaction act; memset(&act, 0, sizeof(struct sigaction));