add drop root capability and -u <user> option

Drop root code by Jon Jenkins: https://stackoverflow.com/a/48991783
2022-05-26 00:00:00 +00:00 · 2022-05-26 00:00:00 +00:00 · 132b6d2e12
parent cc1d35c4ae
commit 132b6d2e12
1 changed files with 58 additions and 14 deletions
--- a/server.go
+++ b/server.go
@ -14,11 +14,19 @@ import (
 	"net"
 	"net/url"
 	"log"
-	"os"
+	"os/user"
+	"strconv"
 	"strings"
+	"syscall"
 	"time"
 )

+import(
+	//#include <unistd.h>
+	//#include <errno.h>
+	"C"
+)
+
 type tlsConnectionInfo struct {
 	TlsVersion         uint16 `json:"tls_version"`
 	CipherSuite        uint16 `json:"cipher_suite"`
@ -257,25 +265,19 @@ func tlsHandler(conn *tls.Conn, rawClientHello []byte) {
 func main() {

 	var certFile, keyFile string
+	var userToSwitchTo string
 	var hostAndPort string

 	// Parse arguments
-	if len(os.Args) != 6 {
+	flag.StringVar(&certFile, "c", "", "path to certificate file")
+	flag.StringVar(&keyFile, "k", "", "path to private key file")
+	flag.StringVar(&userToSwitchTo, "u", "www-data", "user to switch to, if running as root")
+	flag.Parse()
+	hostAndPort = flag.Arg(0)
+	if certFile == "" || keyFile == "" || hostAndPort == "" {
 		fmt.Println("usage: client-hello-mirror -c cert.pem -k key.pem host:port")
 		return
 	}
-	flag.StringVar(&certFile, "c", "", "path to certificate file")
-	flag.StringVar(&keyFile, "k", "", "path to private key file")
-	flag.Parse()
-	hostAndPort = flag.Arg(0)
-
-	// Listen for connections
-	ln, err := net.Listen("tcp", hostAndPort)
-	if err != nil {
-		log.Println(err)
-		return
-	}
-	defer ln.Close()

 	// Load cert
 	cert, err := tls.LoadX509KeyPair(certFile, keyFile)
@ -289,6 +291,48 @@ func main() {
 		//MaxVersion: tls.VersionTLS12,
 	}

+	// Listen for connections
+	ln, err := net.Listen("tcp", hostAndPort)
+	if err != nil {
+		log.Println(err)
+		return
+	}
+	defer ln.Close()
+
+	// Drop root
+	if syscall.Getuid() == 0 {
+		if userToSwitchTo == "" {
+			fmt.Println("Running as root. Please specify an unprivileged user to switch to, using the -u flag")
+			return
+		}
+		userInfo, err := user.Lookup(userToSwitchTo)
+		if err != nil {
+			fmt.Println(err)
+			if userToSwitchTo == "www-data" {
+				fmt.Println("Running as root. Please specify an unprivileged user to switch to, using the -u flag")
+			}
+			return
+		}
+		uid, err := strconv.ParseInt(userInfo.Uid, 10, 32)
+		if err != nil {
+			fmt.Println(err)
+			return
+		}
+		gid, err := strconv.ParseInt(userInfo.Gid, 10, 32)
+		if err != nil {
+			fmt.Println(err)
+			return
+		}
+		cerr, errno := C.setgid(C.__gid_t(gid))
+		if cerr != 0 {
+			log.Fatalln("Unable to set GID due to error:", errno)
+		}
+		cerr, errno = C.setuid(C.__uid_t(uid))
+		if cerr != 0 {
+			log.Fatalln("Unable to set UID due to error:", errno)
+		}
+	}
+
 	log.Println("Server started")

 	for {