diff options
author | Kamil Trzcinski <ayufan@ayufan.eu> | 2016-02-16 17:54:18 +0300 |
---|---|---|
committer | Kamil Trzcinski <ayufan@ayufan.eu> | 2016-02-16 17:54:18 +0300 |
commit | a9b41da7fc5a07eae0a72dc7e59f323a73e74a54 (patch) | |
tree | a7bc61ef086855d1e70b65ceef959eaa65494155 | |
parent | 7f12dcc6036f3935688e3fc4be61e8b1596cbc1d (diff) |
Execute unprivileged daemon in chroot
-rw-r--r-- | Makefile | 3 | ||||
-rw-r--r-- | app.go | 1 | ||||
-rw-r--r-- | daemon.go | 31 | ||||
-rw-r--r-- | domains.go | 2 | ||||
-rw-r--r-- | main.go | 7 |
5 files changed, 15 insertions, 29 deletions
@@ -11,6 +11,7 @@ GO_LDFLAGS ?= -X main.VERSION=$(VERSION) -X main.REVISION=$(REVISION) GO_FILES ?= $(shell find . -name '*.go') export GO15VENDOREXPERIMENT := 1 +export CGO_ENABLED := 0 all: gitlab-pages @@ -35,7 +36,7 @@ lint: complexity: go get github.com/fzipp/gocyclo - gocyclo -over 8 $(wildcard *.go) + gocyclo -over 9 $(wildcard *.go) test: go get golang.org/x/tools/cmd/cover @@ -26,7 +26,6 @@ func (a *theApp) domain(host string) *domain { return domain } - func (a *theApp) ServeTLS(ch *tls.ClientHelloInfo) (*tls.Certificate, error) { if ch.ServerName == "" { return nil, nil @@ -4,17 +4,15 @@ import ( "crypto/rand" "encoding/json" "fmt" + "io" "log" "os" "os/exec" "os/signal" - "os/user" "path/filepath" - "strconv" "syscall" "github.com/kardianos/osext" - "io" ) const daemonRunProgram = "gitlab-pages-unprivileged" @@ -35,27 +33,12 @@ func daemonMain() { os.Exit(0) } -func daemonReexec(cmdUser string, args ...string) (cmd *exec.Cmd, err error) { +func daemonReexec(uid, gid uint, args ...string) (cmd *exec.Cmd, err error) { path, err := osext.Executable() if err != nil { return } - u, err := user.Lookup(cmdUser) - if err != nil { - return - } - - uid, err := strconv.Atoi(u.Uid) - if err != nil { - return - } - - gid, err := strconv.Atoi(u.Gid) - if err != nil { - return - } - cmd = &exec.Cmd{ Path: path, Args: args, @@ -176,22 +159,22 @@ func daemonChroot(cmd *exec.Cmd) (path string, err error) { // Update command to use chroot cmd.SysProcAttr.Chroot = wd - cmd.Path = "/" + temporaryExecutable.Name() + cmd.Path = temporaryExecutable.Name() cmd.Dir = "/" path = filepath.Join(wd, temporaryExecutable.Name()) return } -func daemonize(config appConfig, cmdUser string) { +func daemonize(config appConfig, uid, gid uint) { var err error defer func() { if err != nil { log.Fatalln(err) } }() - log.Printf("Running the daemon as unprivileged user: %v...", cmdUser) + log.Printf("Running the daemon as unprivileged user (uid:%d, gid: %d)...", uid, gid) - cmd, err := daemonReexec(cmdUser, daemonRunProgram) + cmd, err := daemonReexec(uid, gid, daemonRunProgram) if err != nil { return } @@ -200,6 +183,7 @@ func daemonize(config appConfig, cmdUser string) { // Run daemon in chroot environment temporaryExecutable, err := daemonChroot(cmd) if err != nil { + println("Chroot failed", err) return } defer os.Remove(temporaryExecutable) @@ -219,6 +203,7 @@ func daemonize(config appConfig, cmdUser string) { // Start the process if err = cmd.Start(); err != nil { + println("Start failed", err) return } @@ -139,7 +139,7 @@ func watchDomains(rootDomain string, updater domainsUpdater, interval time.Durat domains := make(domains) domains.ReadGroups(rootDomain) duration := time.Since(started) - log.Println("Updated", len(domains), "domains in", duration) + log.Println("Updated", len(domains), "domains in", duration, "Hash:", update) if updater != nil { updater(domains) @@ -24,7 +24,8 @@ func appMain() { var useHTTP2 = flag.Bool("use-http2", true, "Enable HTTP2 support") var pagesRoot = flag.String("pages-root", "shared/pages", "The directory where pages are stored") var pagesDomain = flag.String("pages-domain", "gitlab-example.com", "The domain to serve static pages") - var pagesUser = flag.String("pages-user", "", "Drop privileges to this user") + var daemonUID = flag.Uint("daemon-uid", 0, "Drop privileges to this user") + var daemonGID = flag.Uint("daemon-gid", 0, "Drop privileges to this group") log.Printf("GitLab Pages Daemon %s (%s)", VERSION, REVISION) log.Printf("URL: https://gitlab.com/gitlab-org/gitlab-pages\n") @@ -66,8 +67,8 @@ func appMain() { defer l.Close() } - if *pagesUser != "" { - daemonize(config, *pagesUser) + if *daemonUID != 0 || *daemonGID != 0 { + daemonize(config, *daemonUID, *daemonGID) return } |