shrpx: drop root priviledgs after loading private key

This commit is contained in:
Tatsuhiro Tsujikawa 2012-08-02 00:29:37 +09:00
parent 75c9840644
commit 7962c1bf6c
1 changed files with 24 additions and 14 deletions

View File

@ -202,6 +202,26 @@ evconnlistener* create_evlistener(ListenHandler *handler, int family)
} }
} // namespace } // namespace
namespace {
void drop_privileges()
{
if(getuid() == 0 && get_config()->uid != 0) {
if(setgid(get_config()->gid) != 0) {
LOG(FATAL) << "Could not change gid: " << strerror(errno);
exit(EXIT_FAILURE);
}
if(setuid(get_config()->uid) != 0) {
LOG(FATAL) << "Could not change uid: " << strerror(errno);
exit(EXIT_FAILURE);
}
if(setuid(0) != -1) {
LOG(FATAL) << "Still have root privileges?";
exit(EXIT_FAILURE);
}
}
}
} // namespace
namespace { namespace {
int event_loop() int event_loop()
{ {
@ -209,6 +229,10 @@ int event_loop()
ListenHandler *listener_handler = new ListenHandler(evbase); ListenHandler *listener_handler = new ListenHandler(evbase);
// ListenHandler loads private key. After that, we drop the root
// privileges if needed.
drop_privileges();
evconnlistener *evlistener6, *evlistener4; evconnlistener *evlistener6, *evlistener4;
evlistener6 = create_evlistener(listener_handler, AF_INET6); evlistener6 = create_evlistener(listener_handler, AF_INET6);
evlistener4 = create_evlistener(listener_handler, AF_INET); evlistener4 = create_evlistener(listener_handler, AF_INET);
@ -583,20 +607,6 @@ int main(int argc, char **argv)
if(get_config()->pid_file) { if(get_config()->pid_file) {
save_pid(); save_pid();
} }
if(getuid() == 0 && get_config()->uid != 0) {
if(setgid(get_config()->gid) != 0) {
LOG(FATAL) << "Could not change gid: " << strerror(errno);
exit(EXIT_FAILURE);
}
if(setuid(get_config()->uid) != 0) {
LOG(FATAL) << "Could not change uid: " << strerror(errno);
exit(EXIT_FAILURE);
}
if(setuid(0) != -1) {
LOG(FATAL) << "Still have root privileges?";
exit(EXIT_FAILURE);
}
}
struct sigaction act; struct sigaction act;
memset(&act, 0, sizeof(struct sigaction)); memset(&act, 0, sizeof(struct sigaction));