// This file implements privilege separation package main import ( "errors" "net" "os" "os/user" "path" "strconv" "github.com/sarnowski/mitigation" ) func dropPrivAndListen(userName, sockPath string) (net.Listener, error) { if !mitigation.CanActivate() { return nil, errors.New("cannot drop privileges") } usr, _ := user.Lookup(userName) uid, _ := strconv.Atoi(usr.Uid) gid, _ := strconv.Atoi(usr.Gid) socket := path.Join(usr.HomeDir, sockPath) os.Remove(socket) l, err := net.Listen("unix", socket) if err != nil { return nil, err } os.Chown(socket, uid, gid) os.Chmod(socket, 0660) mitigation.Activate(uid, gid, usr.HomeDir) return l, nil }