summaryrefslogtreecommitdiff
path: root/privsep.go
diff options
context:
space:
mode:
authorDimitri Sokolyuk <demon@dim13.org>2015-03-25 20:00:38 +0100
committerDimitri Sokolyuk <demon@dim13.org>2015-03-25 20:00:38 +0100
commitec277ab95f2147017a55816f533cdb2ee3f811ed (patch)
tree9998043c13d873b480bf5410146fad8aa0235d33 /privsep.go
Initial import
Diffstat (limited to 'privsep.go')
-rw-r--r--privsep.go37
1 files changed, 37 insertions, 0 deletions
diff --git a/privsep.go b/privsep.go
new file mode 100644
index 0000000..2bbe91a
--- /dev/null
+++ b/privsep.go
@@ -0,0 +1,37 @@
+// This file implements privilege separation
+
+package main
+
+import (
+ "errors"
+ "os/user"
+ "strconv"
+ "net"
+ "os"
+ "path"
+
+ "github.com/sarnowski/mitigation"
+)
+
+
+func dropPrivAndListen(userName, sockPath string) (net.Listener, error) {
+ if !mitigation.CanActivate() {
+ return nil, errors.New("cannot drop privileges")
+ }
+ usr, _ := user.Lookup(userName)
+ uid, _ := strconv.Atoi(usr.Uid)
+ gid, _ := strconv.Atoi(usr.Gid)
+
+ socket := path.Join(usr.HomeDir, sockPath)
+ os.Remove(socket)
+
+ l, err := net.Listen("unix", socket)
+ if err != nil {
+ return nil, err
+ }
+ os.Chown(socket, uid, gid)
+ os.Chmod(socket, 0660)
+
+ mitigation.Activate(uid, gid, usr.HomeDir)
+ return l, nil
+}