From 7a89b307a1b297caa1f88558c518ef2a56d1e8b2 Mon Sep 17 00:00:00 2001 From: Solderpunk Date: Sun, 19 Feb 2023 15:04:34 +0100 Subject: [PATCH] Just use the log package's default logger as the error log. --- certificate.go | 12 ++--- config.go | 8 +-- dynamic.go | 32 ++++++------ handler.go | 112 ++++++++++++++++++++--------------------- main.go | 39 +++++++------- security.go | 6 +-- security_dropprivs.go | 8 +-- security_oldgolinux.go | 4 +- security_openbsd.go | 12 ++--- security_other_unix.go | 8 +-- 10 files changed, 115 insertions(+), 126 deletions(-) diff --git a/certificate.go b/certificate.go index 446afc2..0e89fba 100644 --- a/certificate.go +++ b/certificate.go @@ -10,24 +10,24 @@ import ( "time" ) -func enforceCertificateValidity(clientCerts []*x509.Certificate, conn net.Conn, log *LogEntry) { +func enforceCertificateValidity(clientCerts []*x509.Certificate, conn net.Conn, logEntry *LogEntry) { // This will fail if any of multiple certs are invalid // Maybe we should just require one valid? now := time.Now() for _, cert := range clientCerts { if now.Before(cert.NotBefore) { conn.Write([]byte("64 Client certificate not yet valid!\r\n")) - log.Status = 64 + logEntry.Status = 64 return } else if now.After(cert.NotAfter) { conn.Write([]byte("65 Client certificate has expired!\r\n")) - log.Status = 65 + logEntry.Status = 65 return } } } -func handleCertificateZones(URL *url.URL, clientCerts []*x509.Certificate, config Config, conn net.Conn, log *LogEntry) { +func handleCertificateZones(URL *url.URL, clientCerts []*x509.Certificate, config Config, conn net.Conn, logEntry *LogEntry) { authorised := true for zone, allowedFingerprints := range config.CertificateZones { matched, err := regexp.Match(zone, []byte(URL.Path)) @@ -47,10 +47,10 @@ func handleCertificateZones(URL *url.URL, clientCerts []*x509.Certificate, confi if !authorised { if len(clientCerts) > 0 { conn.Write([]byte("61 Provided certificate not authorised for this resource\r\n")) - log.Status = 61 + logEntry.Status = 61 } else { conn.Write([]byte("60 A pre-authorised certificate is required to access this resource\r\n")) - log.Status = 60 + logEntry.Status = 60 } return } diff --git a/config.go b/config.go index 3fd5248..96f8907 100644 --- a/config.go +++ b/config.go @@ -164,7 +164,7 @@ func getConfig(filename string) (Config, error) { return config, nil } -func parseMollyFiles(path string, config *Config, errorLog *log.Logger) { +func parseMollyFiles(path string, config *Config) { // Replace config variables which use pointers with new ones, // so that changes made here aren't reflected everywhere. newTempRedirects := make(map[string]string) @@ -224,7 +224,7 @@ func parseMollyFiles(path string, config *Config, errorLog *log.Logger) { // If the file exists and we can read it, try to parse it _, err = toml.DecodeFile(mollyPath, &mollyFile) if err != nil { - errorLog.Println("Error parsing .molly file " + mollyPath + ": " + err.Error()) + log.Println("Error parsing .molly file " + mollyPath + ": " + err.Error()) continue } // Overwrite main Config using MollyFile @@ -237,14 +237,14 @@ func parseMollyFiles(path string, config *Config, errorLog *log.Logger) { config.DirectoryTitles = mollyFile.DirectoryTitles for key, value := range mollyFile.TempRedirects { if strings.Contains(value, "://") && !strings.HasPrefix(value, "gemini://") { - errorLog.Println("Ignoring cross-protocol redirect to " + value + " in .molly file " + mollyPath) + log.Println("Ignoring cross-protocol redirect to " + value + " in .molly file " + mollyPath) continue } config.TempRedirects[key] = value } for key, value := range mollyFile.PermRedirects { if strings.Contains(value, "://") && !strings.HasPrefix(value, "gemini://") { - errorLog.Println("Ignoring cross-protocol redirect to " + value + " in .molly file " + mollyPath) + log.Println("Ignoring cross-protocol redirect to " + value + " in .molly file " + mollyPath) continue } config.PermRedirects[key] = value diff --git a/dynamic.go b/dynamic.go index 2f56ff0..8180428 100644 --- a/dynamic.go +++ b/dynamic.go @@ -15,7 +15,7 @@ import ( "time" ) -func handleCGI(config Config, path string, cgiPath string, URL *url.URL, log *LogEntry, errorLog *log.Logger, conn net.Conn) { +func handleCGI(config Config, path string, cgiPath string, URL *url.URL, logEntry *LogEntry, conn net.Conn) { // Find the shortest leading part of path which maps to an executable file. // Call this part scriptPath, and everything after it pathInfo. components := strings.Split(path, "/") @@ -58,42 +58,42 @@ func handleCGI(config Config, path string, cgiPath string, URL *url.URL, log *Lo response, err := cmd.Output() if ctx.Err() == context.DeadlineExceeded { - errorLog.Println("Terminating CGI process " + path + " due to exceeding 10 second runtime limit.") + log.Println("Terminating CGI process " + path + " due to exceeding 10 second runtime limit.") conn.Write([]byte("42 CGI process timed out!\r\n")) - log.Status = 42 + logEntry.Status = 42 return } if err != nil { - errorLog.Println("Error running CGI program " + path + ": " + err.Error()) + log.Println("Error running CGI program " + path + ": " + err.Error()) if err, ok := err.(*exec.ExitError); ok { - errorLog.Println("↳ stderr output: " + string(err.Stderr)) + log.Println("↳ stderr output: " + string(err.Stderr)) } conn.Write([]byte("42 CGI error!\r\n")) - log.Status = 42 + logEntry.Status = 42 return } // Extract response header header, _, err := bufio.NewReader(strings.NewReader(string(response))).ReadLine() status, err2 := strconv.Atoi(strings.Fields(string(header))[0]) if err != nil || err2 != nil { - errorLog.Println("Unable to parse first line of output from CGI process " + path + " as valid Gemini response header. Line was: " + string(header)) + log.Println("Unable to parse first line of output from CGI process " + path + " as valid Gemini response header. Line was: " + string(header)) conn.Write([]byte("42 CGI error!\r\n")) - log.Status = 42 + logEntry.Status = 42 return } - log.Status = status + logEntry.Status = status // Write response conn.Write(response) } -func handleSCGI(URL *url.URL, scgiPath string, scgiSocket string, config Config, log *LogEntry, errorLog *log.Logger, conn net.Conn) { +func handleSCGI(URL *url.URL, scgiPath string, scgiSocket string, config Config, logEntry *LogEntry, conn net.Conn) { // Connect to socket socket, err := net.Dial("unix", scgiSocket) if err != nil { - errorLog.Println("Error connecting to SCGI socket " + scgiSocket + ": " + err.Error()) + log.Println("Error connecting to SCGI socket " + scgiSocket + ": " + err.Error()) conn.Write([]byte("42 Error connecting to SCGI service!\r\n")) - log.Status = 42 + logEntry.Status = 42 return } defer socket.Close() @@ -123,9 +123,9 @@ func handleSCGI(URL *url.URL, scgiPath string, scgiSocket string, config Config, break } else if !first { // Err - errorLog.Println("Error reading from SCGI socket " + scgiSocket + ": " + err.Error()) + log.Println("Error reading from SCGI socket " + scgiSocket + ": " + err.Error()) conn.Write([]byte("42 Error reading from SCGI service!\r\n")) - log.Status = 42 + logEntry.Status = 42 return } else { break @@ -138,10 +138,10 @@ func handleSCGI(URL *url.URL, scgiPath string, scgiSocket string, config Config, status, err := strconv.Atoi(strings.Fields(lines[0])[0]) if err != nil { conn.Write([]byte("42 CGI error!\r\n")) - log.Status = 42 + logEntry.Status = 42 return } - log.Status = status + logEntry.Status = status } // Send to client conn.Write(buffer[:n]) diff --git a/handler.go b/handler.go index 5ab0993..e3e6485 100644 --- a/handler.go +++ b/handler.go @@ -35,36 +35,36 @@ func isSubdir(subdir, superdir string) (bool, error) { return false, nil } -func handleGeminiRequest(conn net.Conn, config Config, accessLogEntries chan LogEntry, errorLog *log.Logger, wg *sync.WaitGroup) { +func handleGeminiRequest(conn net.Conn, config Config, accessLogEntries chan LogEntry, wg *sync.WaitGroup) { defer conn.Close() defer wg.Done() var tlsConn (*tls.Conn) = conn.(*tls.Conn) - var log LogEntry - log.Time = time.Now() - log.RemoteAddr = conn.RemoteAddr() - log.RequestURL = "-" - log.Status = 0 + var logEntry LogEntry + logEntry.Time = time.Now() + logEntry.RemoteAddr = conn.RemoteAddr() + logEntry.RequestURL = "-" + logEntry.Status = 0 if accessLogEntries != nil { - defer func() { accessLogEntries <- log }() + defer func() { accessLogEntries <- logEntry }() } // Read request - URL, err := readRequest(conn, &log, errorLog) + URL, err := readRequest(conn, &logEntry) if err != nil { return } // Enforce client certificate validity clientCerts := tlsConn.ConnectionState().PeerCertificates - enforceCertificateValidity(clientCerts, conn, &log) - if log.Status != 0 { + enforceCertificateValidity(clientCerts, conn, &logEntry) + if logEntry.Status != 0 { return } // Reject non-gemini schemes if URL.Scheme != "gemini" { conn.Write([]byte("53 No proxying to non-Gemini content!\r\n")) - log.Status = 53 + logEntry.Status = 53 return } @@ -76,14 +76,14 @@ func handleGeminiRequest(conn net.Conn, config Config, accessLogEntries chan Log } if requestedHost != config.Hostname || (URL.Port() != "" && URL.Port() != strconv.Itoa(config.Port)) { conn.Write([]byte("53 No proxying to other hosts or ports!\r\n")) - log.Status = 53 + logEntry.Status = 53 return } // Fail if there are dots in the path if strings.Contains(URL.Path, "..") { conn.Write([]byte("50 Your directory traversal technique has been defeated!\r\n")) - log.Status = 50 + logEntry.Status = 50 return } @@ -91,23 +91,23 @@ func handleGeminiRequest(conn net.Conn, config Config, accessLogEntries chan Log raw_path := resolvePath(URL.Path, config) path, err := filepath.EvalSymlinks(raw_path) if err!= nil { - errorLog.Println("Error evaluating path " + raw_path + " for symlinks: " + err.Error()) + log.Println("Error evaluating path " + raw_path + " for symlinks: " + err.Error()) conn.Write([]byte("51 Not found!\r\n")) - log.Status = 51 + logEntry.Status = 51 } // If symbolic links have been used to escape the intended document directory, // deny all knowledge isSub, err := isSubdir(path, config.DocBase) if err != nil { - errorLog.Println("Error testing whether path " + path + " is below DocBase: " + err.Error()) + log.Println("Error testing whether path " + path + " is below DocBase: " + err.Error()) } if !isSub { - errorLog.Println("Refusing to follow simlink from " + raw_path + " outside of DocBase!") + log.Println("Refusing to follow simlink from " + raw_path + " outside of DocBase!") } if err != nil || !isSub { conn.Write([]byte("51 Not found!\r\n")) - log.Status = 51 + logEntry.Status = 51 return } @@ -115,31 +115,31 @@ func handleGeminiRequest(conn net.Conn, config Config, accessLogEntries chan Log // Fail ASAP if the URL has mapped to a sensitive file if path == config.CertPath || path == config.KeyPath || path == config.AccessLog || path == config.ErrorLog || filepath.Base(path) == ".molly" { conn.Write([]byte("51 Not found!\r\n")) - log.Status = 51 + logEntry.Status = 51 return } // Read Molly files if config.ReadMollyFiles { - parseMollyFiles(path, &config, errorLog) + parseMollyFiles(path, &config) } // Check whether this URL is in a certificate zone - handleCertificateZones(URL, clientCerts, config, conn, &log) - if log.Status != 0 { + handleCertificateZones(URL, clientCerts, config, conn, &logEntry) + if logEntry.Status != 0 { return } // Check for redirects - handleRedirects(URL, config, conn, &log, errorLog) - if log.Status != 0 { + handleRedirects(URL, config, conn, &logEntry) + if logEntry.Status != 0 { return } // Check whether this URL is mapped to an SCGI app for scgiPath, scgiSocket := range config.SCGIPaths { if strings.HasPrefix(URL.Path, scgiPath) { - handleSCGI(URL, scgiPath, scgiSocket, config, &log, errorLog, conn) + handleSCGI(URL, scgiPath, scgiSocket, config, &logEntry, conn) return } } @@ -147,8 +147,8 @@ func handleGeminiRequest(conn net.Conn, config Config, accessLogEntries chan Log // Check whether this URL is in a configured CGI path for _, cgiPath := range config.CGIPaths { if strings.HasPrefix(path, cgiPath) { - handleCGI(config, path, cgiPath, URL, &log, errorLog, conn) - if log.Status != 0 { + handleCGI(config, path, cgiPath, URL, &logEntry, conn) + if logEntry.Status != 0 { return } } @@ -158,50 +158,50 @@ func handleGeminiRequest(conn net.Conn, config Config, accessLogEntries chan Log info, err := os.Stat(path) if os.IsNotExist(err) || os.IsPermission(err) { conn.Write([]byte("51 Not found!\r\n")) - log.Status = 51 + logEntry.Status = 51 return } else if err != nil { - errorLog.Println("Error getting info for file " + path + ": " + err.Error()) + log.Println("Error getting info for file " + path + ": " + err.Error()) conn.Write([]byte("40 Temporary failure!\r\n")) - log.Status = 40 + logEntry.Status = 40 return } else if uint64(info.Mode().Perm())&0444 != 0444 { conn.Write([]byte("51 Not found!\r\n")) - log.Status = 51 + logEntry.Status = 51 return } // Finally, serve the file or directory if info.IsDir() { - serveDirectory(URL, path, &log, conn, config, errorLog) + serveDirectory(URL, path, &logEntry, conn, config) } else { - serveFile(path, &log, conn, config, errorLog) + serveFile(path, &logEntry, conn, config) } } -func readRequest(conn net.Conn, log *LogEntry, errorLog *log.Logger) (*url.URL, error) { +func readRequest(conn net.Conn, logEntry *LogEntry) (*url.URL, error) { reader := bufio.NewReaderSize(conn, 1024) request, overflow, err := reader.ReadLine() if overflow { conn.Write([]byte("59 Request too long!\r\n")) - log.Status = 59 + logEntry.Status = 59 return nil, errors.New("Request too long") } else if err != nil { - errorLog.Println("Error reading request from " + conn.RemoteAddr().String() + ": " + err.Error()) + log.Println("Error reading request from " + conn.RemoteAddr().String() + ": " + err.Error()) conn.Write([]byte("40 Unknown error reading request!\r\n")) - log.Status = 40 + logEntry.Status = 40 return nil, errors.New("Error reading request") } // Parse request as URL URL, err := url.Parse(string(request)) if err != nil { - errorLog.Println("Error parsing request URL " + string(request) + ": " + err.Error()) + log.Println("Error parsing request URL " + string(request) + ": " + err.Error()) conn.Write([]byte("59 Error parsing URL!\r\n")) - log.Status = 59 + logEntry.Status = 59 return nil, errors.New("Bad URL in request") } - log.RequestURL = URL.String() + logEntry.RequestURL = URL.String() // Set implicit scheme if URL.Scheme == "" { @@ -225,17 +225,17 @@ func resolvePath(path string, config Config) string { return path } -func handleRedirects(URL *url.URL, config Config, conn net.Conn, log *LogEntry, errorLog *log.Logger) { - handleRedirectsInner(URL, config.TempRedirects, 30, conn, log, errorLog) - handleRedirectsInner(URL, config.PermRedirects, 31, conn, log, errorLog) +func handleRedirects(URL *url.URL, config Config, conn net.Conn, logEntry *LogEntry) { + handleRedirectsInner(URL, config.TempRedirects, 30, conn, logEntry) + handleRedirectsInner(URL, config.PermRedirects, 31, conn, logEntry) } -func handleRedirectsInner(URL *url.URL, redirects map[string]string, status int, conn net.Conn, log *LogEntry, errorLog *log.Logger) { +func handleRedirectsInner(URL *url.URL, redirects map[string]string, status int, conn net.Conn, logEntry *LogEntry) { strStatus := strconv.Itoa(status) for src, dst := range redirects { compiled, err := regexp.Compile(src) if err != nil { - errorLog.Println("Error compiling redirect regexp " + src + ": " + err.Error()) + log.Println("Error compiling redirect regexp " + src + ": " + err.Error()) continue } if compiled.MatchString(URL.Path) { @@ -245,42 +245,42 @@ func handleRedirectsInner(URL *url.URL, redirects map[string]string, status int, new_target = URL.String() } conn.Write([]byte(strStatus + " " + new_target + "\r\n")) - log.Status = status + logEntry.Status = status return } } } -func serveDirectory(URL *url.URL, path string, log *LogEntry, conn net.Conn, config Config, errorLog *log.Logger) { +func serveDirectory(URL *url.URL, path string, logEntry *LogEntry, conn net.Conn, config Config) { // Redirect to add trailing slash if missing // (otherwise relative links don't work properly) if !strings.HasSuffix(URL.Path, "/") { URL.Path += "/" conn.Write([]byte(fmt.Sprintf("31 %s\r\n", URL.String()))) - log.Status = 31 + logEntry.Status = 31 return } // Check for index.gmi if path is a directory index_path := filepath.Join(path, "index."+config.GeminiExt) index_info, err := os.Stat(index_path) if err == nil && uint64(index_info.Mode().Perm())&0444 == 0444 { - serveFile(index_path, log, conn, config, errorLog) + serveFile(index_path, logEntry, conn, config) // Serve a generated listing } else { listing, err := generateDirectoryListing(URL, path, config) if err != nil { - errorLog.Println("Error generating listing for directory " + path + ": " + err.Error()) + log.Println("Error generating listing for directory " + path + ": " + err.Error()) conn.Write([]byte("40 Server error!\r\n")) - log.Status = 40 + logEntry.Status = 40 return } conn.Write([]byte("20 text/gemini\r\n")) - log.Status = 20 + logEntry.Status = 20 conn.Write([]byte(listing)) } } -func serveFile(path string, log *LogEntry, conn net.Conn, config Config, errorLog *log.Logger) { +func serveFile(path string, logEntry *LogEntry, conn net.Conn, config Config) { // Get MIME type of files ext := filepath.Ext(path) var mimeType string @@ -311,14 +311,14 @@ func serveFile(path string, log *LogEntry, conn net.Conn, config Config, errorLo f, err := os.Open(path) if err != nil { - errorLog.Println("Error reading file " + path + ": " + err.Error()) + log.Println("Error reading file " + path + ": " + err.Error()) conn.Write([]byte("50 Error!\r\n")) - log.Status = 50 + logEntry.Status = 50 return } defer f.Close() conn.Write([]byte(fmt.Sprintf("20 %s\r\n", mimeType))) io.Copy(conn, f) - log.Status = 20 + logEntry.Status = 20 } diff --git a/main.go b/main.go index 0975924..05ad01d 100644 --- a/main.go +++ b/main.go @@ -51,7 +51,7 @@ func do_main(config Config) int { // chroot() possibly stops seeing /etc/passwd privInfo, err := getUserInfo(config) if err != nil { - errorLog.Println("Exiting due to failure to apply security restrictions.") + log.Println("Exiting due to failure to apply security restrictions.") return 1 } @@ -65,18 +65,16 @@ func do_main(config Config) int { } // Open log files - var errorLogFile *os.File - if config.ErrorLog == "" { - errorLogFile = os.Stderr - } else { - errorLogFile, err = os.OpenFile(config.ErrorLog, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644) + if config.ErrorLog != "" { + errorLogFile, err := os.OpenFile(config.ErrorLog, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644) if err != nil { - log.Println(err) + log.Println("Error opening error log file: " + err.Error()) return 1 } defer errorLogFile.Close() + log.SetOutput(errorLogFile) } - errorLog := log.New(errorLogFile, "", log.Ldate|log.Ltime) + log.SetFlags(log.Ldate|log.Ltime) var accessLogFile *os.File if config.AccessLog == "-" { @@ -84,8 +82,7 @@ func do_main(config Config) int { } else if config.AccessLog != "" { accessLogFile, err = os.OpenFile(config.AccessLog, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644) if err != nil { - errorLog.Println("Error opening access log file: " + err.Error()) - log.Println(err) + log.Println("Error opening access log file: " + err.Error()) return 1 } defer accessLogFile.Close() @@ -95,16 +92,16 @@ func do_main(config Config) int { // Check key file permissions first info, err := os.Stat(config.KeyPath) if err != nil { - errorLog.Println("Error opening TLS key file: " + err.Error()) + log.Println("Error opening TLS key file: " + err.Error()) return 1 } if uint64(info.Mode().Perm())&0444 == 0444 { - errorLog.Println("Refusing to use world-readable TLS key file " + config.KeyPath) + log.Println("Refusing to use world-readable TLS key file " + config.KeyPath) return 1 } cert, err := tls.LoadX509KeyPair(config.CertPath, config.KeyPath) if err != nil { - errorLog.Println("Error loading TLS keypair: " + err.Error()) + log.Println("Error loading TLS keypair: " + err.Error()) return 1 } tlscfg := &tls.Config{ @@ -117,20 +114,20 @@ func do_main(config Config) int { // But if we can't for some reason it's no big deal err = os.Chdir("/") if err != nil { - errorLog.Println("Could not change working directory to /: " + err.Error()) + log.Println("Could not change working directory to /: " + err.Error()) } // Apply security restrictions - err = enableSecurityRestrictions(config, privInfo, errorLog) + err = enableSecurityRestrictions(config, privInfo) if err != nil { - errorLog.Println("Exiting due to failure to apply security restrictions.") + log.Println("Exiting due to failure to apply security restrictions.") return 1 } // Create TLS listener listener, err := tls.Listen("tcp", ":"+strconv.Itoa(config.Port), tlscfg) if err != nil { - errorLog.Println("Error creating TLS listener: " + err.Error()) + log.Println("Error creating TLS listener: " + err.Error()) return 1 } defer listener.Close() @@ -155,7 +152,7 @@ func do_main(config Config) int { signal.Notify(sigterm, syscall.SIGTERM) go func() { <-sigterm - errorLog.Println("Caught SIGTERM. Waiting for handlers to finish...") + log.Println("Caught SIGTERM. Waiting for handlers to finish...") close(shutdown) listener.Close() }() @@ -167,19 +164,19 @@ func do_main(config Config) int { conn, err := listener.Accept() if err == nil { wg.Add(1) - go handleGeminiRequest(conn, config, accessLogEntries, errorLog, &wg) + go handleGeminiRequest(conn, config, accessLogEntries, &wg) } else { select { case <-shutdown: running = false default: - errorLog.Println("Error accepting connection: " + err.Error()) + log.Println("Error accepting connection: " + err.Error()) } } } // Wait for still-running handler Go routines to finish wg.Wait() - errorLog.Println("Exiting.") + log.Println("Exiting.") // Exit successfully return 0 diff --git a/security.go b/security.go index 31bc8ae..7b1a2c0 100644 --- a/security.go +++ b/security.go @@ -2,13 +2,9 @@ package main -import ( - "log" -) - // Restrict access to the files specified in config in an OS-dependent way. // This is intended to be called immediately prior to accepting client // connections and may be used to establish a security "jail" for the molly // brown executable. -func enableSecurityRestrictions(config Config, ui userInfo, errorLog *log.Logger) error { +func enableSecurityRestrictions(config Config, ui userInfo) error { } diff --git a/security_dropprivs.go b/security_dropprivs.go index 050624d..652de0a 100644 --- a/security_dropprivs.go +++ b/security_dropprivs.go @@ -69,7 +69,7 @@ func getUserInfo(config Config) (userInfo, error) { return ui, nil } -func DropPrivs(ui userInfo, errorLog *log.Logger) error { +func DropPrivs(ui userInfo) error { // If we're already unprivileged, all good if !ui.need_drop { @@ -80,7 +80,7 @@ func DropPrivs(ui userInfo, errorLog *log.Logger) error { if ui.root_supp_group { err := syscall.Setgroups([]int{}) if err != nil { - errorLog.Println("Could not unset supplementary groups: " + err.Error()) + log.Println("Could not unset supplementary groups: " + err.Error()) return err } } @@ -89,7 +89,7 @@ func DropPrivs(ui userInfo, errorLog *log.Logger) error { if ui.root_prim_group { err := syscall.Setgid(ui.unpriv_gid) if err != nil { - errorLog.Println("Could not setgid to " + strconv.Itoa(ui.unpriv_gid) + ": " + err.Error()) + log.Println("Could not setgid to " + strconv.Itoa(ui.unpriv_gid) + ": " + err.Error()) return err } } @@ -98,7 +98,7 @@ func DropPrivs(ui userInfo, errorLog *log.Logger) error { if ui.root_user { err := syscall.Setuid(ui.unpriv_uid) if err != nil { - errorLog.Println("Could not setuid to " + strconv.Itoa(ui.unpriv_uid) + ": " + err.Error()) + log.Println("Could not setuid to " + strconv.Itoa(ui.unpriv_uid) + ": " + err.Error()) return err } } diff --git a/security_oldgolinux.go b/security_oldgolinux.go index 3b0b110..25271dd 100644 --- a/security_oldgolinux.go +++ b/security_oldgolinux.go @@ -7,7 +7,7 @@ import ( "os" ) -func enableSecurityRestrictions(config Config, ui userInfo, errorLog *log.Logger) error { +func enableSecurityRestrictions(config Config, ui userInfo) error { // Prior to Go 1.6, setuid did not work reliably on Linux // So, absolutely refuse to run as root @@ -15,7 +15,7 @@ func enableSecurityRestrictions(config Config, ui userInfo, errorLog *log.Logger euid := os.Geteuid() if uid == 0 || euid == 0 { setuid_err := "Refusing to run with root privileges when setuid() will not work!" - errorLog.Println(setuid_err) + log.Println(setuid_err) return error.New(setuid_err) } diff --git a/security_openbsd.go b/security_openbsd.go index 3def41f..e0c440a 100644 --- a/security_openbsd.go +++ b/security_openbsd.go @@ -11,10 +11,10 @@ import ( // operations available to the molly brown executable. Please note that (S)CGI // processes that molly brown spawns or communicates with are unrestricted // and should pledge their own restrictions and unveil their own files. -func enableSecurityRestrictions(config Config, ui userInfo, errorLog *log.Logger) error { +func enableSecurityRestrictions(config Config, ui userInfo) error { // Setuid to an unprivileged user - err := DropPrivs(ui, errorLog) + err := DropPrivs(ui) if err != nil { return err } @@ -23,7 +23,7 @@ func enableSecurityRestrictions(config Config, ui userInfo, errorLog *log.Logger log.Println("Unveiling \"" + config.DocBase + "\" as readable.") err := unix.Unveil(config.DocBase, "r") if err != nil { - errorLog.Println("Could not unveil DocBase: " + err.Error()) + log.Println("Could not unveil DocBase: " + err.Error()) return err } @@ -34,7 +34,7 @@ func enableSecurityRestrictions(config Config, ui userInfo, errorLog *log.Logger log.Println("Unveiling \"" + cgiGlobbedPath + "\" as executable.") err = unix.Unveil(cgiGlobbedPath, "rx") if err != nil { - errorLog.Println("Could not unveil CGIPaths: " + err.Error()) + log.Println("Could not unveil CGIPaths: " + err.Error()) return err } } @@ -53,7 +53,7 @@ func enableSecurityRestrictions(config Config, ui userInfo, errorLog *log.Logger // Any files not whitelisted above won't be accessible to molly brown. err = unix.UnveilBlock() if err != nil { - errorLog.Println("Could not block unveil: " + err.Error()) + log.Println("Could not block unveil: " + err.Error()) return err } @@ -69,7 +69,7 @@ func enableSecurityRestrictions(config Config, ui userInfo, errorLog *log.Logger } err = unix.PledgePromises(promises) if err != nil { - errorLog.Println("Could not pledge: " + err.Error()) + log.Println("Could not pledge: " + err.Error()) return err } } diff --git a/security_other_unix.go b/security_other_unix.go index 413b444..e627d73 100644 --- a/security_other_unix.go +++ b/security_other_unix.go @@ -2,13 +2,9 @@ package main -import ( - "log" -) - -func enableSecurityRestrictions(config Config, ui userInfo, errorLog *log.Logger) error { +func enableSecurityRestrictions(config Config, ui userInfo) error { // Setuid to an unprivileged user - return DropPrivs(ui, errorLog) + return DropPrivs(ui) }