Privs can only be dropped after reading key files.

author: Laurent Bercot <ska-skaware@skarnet.org> 2020-11-21 02:22:09 +0000
committer: Laurent Bercot <ska-skaware@skarnet.org> 2020-11-21 02:22:09 +0000
commit: 5c2880becc94141b8035b3488b6bd60696011308 (patch)
tree: 51e177122b50e248075dae441e4a76d68fd33081
parent: 5715c21a077ee1c2fe8957cb4adcea14fd2eda6b (diff)
download: s6-networking-5c2880becc94141b8035b3488b6bd60696011308.tar.xz
16 files changed, 49 insertions, 21 deletions
diff --git a/package/deps.mak b/package/deps.mak
index febb16b..ceff750 100644
--- a/package/deps.mak
+++ b/package/deps.mak
@@ -27,7 +27,6 @@ src/conn-tools/s6-tlsd-io.o src/conn-tools/s6-tlsd-io.lo: src/conn-tools/s6-tlsd
 src/conn-tools/s6-tlsd.o src/conn-tools/s6-tlsd.lo: src/conn-tools/s6-tlsd.c src/conn-tools/s6tls-internal.h
 src/conn-tools/s6-tlsserver.o src/conn-tools/s6-tlsserver.lo: src/conn-tools/s6-tlsserver.c src/include/s6-networking/config.h
 src/conn-tools/s6-ucspitlsd.o src/conn-tools/s6-ucspitlsd.lo: src/conn-tools/s6-ucspitlsd.c src/include/s6-networking/config.h src/conn-tools/s6tls-internal.h
-src/conn-tools/s6tls_drop.o src/conn-tools/s6tls_drop.lo: src/conn-tools/s6tls_drop.c src/conn-tools/s6tls-internal.h
 src/conn-tools/s6tls_exec_tlscio.o src/conn-tools/s6tls_exec_tlscio.lo: src/conn-tools/s6tls_exec_tlscio.c src/include/s6-networking/config.h src/conn-tools/s6tls-internal.h
 src/conn-tools/s6tls_exec_tlsdio.o src/conn-tools/s6tls_exec_tlsdio.lo: src/conn-tools/s6tls_exec_tlsdio.c src/include/s6-networking/config.h src/conn-tools/s6tls-internal.h
 src/conn-tools/s6tls_wait_and_exec_app.o src/conn-tools/s6tls_wait_and_exec_app.lo: src/conn-tools/s6tls_wait_and_exec_app.c src/conn-tools/s6tls-internal.h
@@ -44,6 +43,7 @@ src/sbearssl/sbearssl_cert_readbigpem.o src/sbearssl/sbearssl_cert_readbigpem.lo
 src/sbearssl/sbearssl_cert_readfile.o src/sbearssl/sbearssl_cert_readfile.lo: src/sbearssl/sbearssl_cert_readfile.c src/include/s6-networking/sbearssl.h
 src/sbearssl/sbearssl_cert_to.o src/sbearssl/sbearssl_cert_to.lo: src/sbearssl/sbearssl_cert_to.c src/include/s6-networking/sbearssl.h
 src/sbearssl/sbearssl_client_init_and_run.o src/sbearssl/sbearssl_client_init_and_run.lo: src/sbearssl/sbearssl_client_init_and_run.c src/include/s6-networking/sbearssl.h src/sbearssl/sbearssl-internal.h
+src/sbearssl/sbearssl_drop.o src/sbearssl/sbearssl_drop.lo: src/sbearssl/sbearssl_drop.c src/sbearssl/sbearssl-internal.h
 src/sbearssl/sbearssl_ec_issuer_keytype.o src/sbearssl/sbearssl_ec_issuer_keytype.lo: src/sbearssl/sbearssl_ec_issuer_keytype.c src/include/s6-networking/sbearssl.h src/sbearssl/sbearssl-internal.h
 src/sbearssl/sbearssl_ec_pkey_from.o src/sbearssl/sbearssl_ec_pkey_from.lo: src/sbearssl/sbearssl_ec_pkey_from.c src/include/s6-networking/sbearssl.h
 src/sbearssl/sbearssl_ec_pkey_to.o src/sbearssl/sbearssl_ec_pkey_to.lo: src/sbearssl/sbearssl_ec_pkey_to.c src/include/s6-networking/sbearssl.h
@@ -75,6 +75,7 @@ src/sbearssl/sbearssl_x500_from_ta.o src/sbearssl/sbearssl_x500_from_ta.lo: src/
 src/sbearssl/sbearssl_x500_name_len.o src/sbearssl/sbearssl_x500_name_len.lo: src/sbearssl/sbearssl_x500_name_len.c src/include/s6-networking/sbearssl.h
 src/sbearssl/sbearssl_x509_minimal_set_tai.o src/sbearssl/sbearssl_x509_minimal_set_tai.lo: src/sbearssl/sbearssl_x509_minimal_set_tai.c src/include/s6-networking/sbearssl.h
 src/stls/stls_client_init_and_handshake.o src/stls/stls_client_init_and_handshake.lo: src/stls/stls_client_init_and_handshake.c src/include/s6-networking/stls.h src/stls/stls-internal.h
+src/stls/stls_drop.o src/stls/stls_drop.lo: src/stls/stls_drop.c src/stls/stls-internal.h
 src/stls/stls_run.o src/stls/stls_run.lo: src/stls/stls_run.c src/include/s6-networking/stls.h
 src/stls/stls_server_init_and_handshake.o src/stls/stls_server_init_and_handshake.lo: src/stls/stls_server_init_and_handshake.c src/include/s6-networking/stls.h src/stls/stls-internal.h
 
@@ -89,12 +90,12 @@ s6-taiclock: src/clock/s6-taiclock.o
 s6-taiclockd: EXTRA_LIBS := -lskarnet ${SOCKET_LIB} ${SYSCLOCK_LIB}
 s6-taiclockd: src/clock/s6-taiclockd.o
 ifeq ($(strip $(STATIC_LIBS_ARE_PIC)),)
-libs6tls.a.xyzzy: src/conn-tools/s6tls_drop.o src/conn-tools/s6tls_exec_tlscio.o src/conn-tools/s6tls_exec_tlsdio.o src/conn-tools/s6tls_wait_and_exec_app.o
+libs6tls.a.xyzzy: src/conn-tools/s6tls_exec_tlscio.o src/conn-tools/s6tls_exec_tlsdio.o src/conn-tools/s6tls_wait_and_exec_app.o
 else
-libs6tls.a.xyzzy: src/conn-tools/s6tls_drop.lo src/conn-tools/s6tls_exec_tlscio.lo src/conn-tools/s6tls_exec_tlsdio.lo src/conn-tools/s6tls_wait_and_exec_app.lo
+libs6tls.a.xyzzy: src/conn-tools/s6tls_exec_tlscio.lo src/conn-tools/s6tls_exec_tlsdio.lo src/conn-tools/s6tls_wait_and_exec_app.lo
 endif
 libs6tls.so.xyzzy: EXTRA_LIBS :=
-libs6tls.so.xyzzy: src/conn-tools/s6tls_drop.lo src/conn-tools/s6tls_exec_tlscio.lo src/conn-tools/s6tls_exec_tlsdio.lo src/conn-tools/s6tls_wait_and_exec_app.lo
+libs6tls.so.xyzzy: src/conn-tools/s6tls_exec_tlscio.lo src/conn-tools/s6tls_exec_tlsdio.lo src/conn-tools/s6tls_wait_and_exec_app.lo
 s6-getservbyname: EXTRA_LIBS := -lskarnet ${SOCKET_LIB}
 s6-getservbyname: src/conn-tools/s6-getservbyname.o
 s6-ident-client: EXTRA_LIBS := -lskarnet ${SOCKET_LIB} ${SYSCLOCK_LIB}
@@ -141,16 +142,16 @@ libs6net.so.xyzzy: src/libs6net/s6net_ident_client.lo src/libs6net/s6net_ident_r
 minidentd: EXTRA_LIBS := -lskarnet ${MAYBEPTHREAD_LIB} ${SOCKET_LIB} ${SYSCLOCK_LIB}
 minidentd: src/minidentd/minidentd.o src/minidentd/mgetuid.o ${LIBNSSS}
 ifeq ($(strip $(STATIC_LIBS_ARE_PIC)),)
-libsbearssl.a.xyzzy: src/sbearssl/sbearssl_append.o src/sbearssl/sbearssl_cert_from.o src/sbearssl/sbearssl_cert_readbigpem.o src/sbearssl/sbearssl_cert_readfile.o src/sbearssl/sbearssl_cert_to.o src/sbearssl/sbearssl_ec_issuer_keytype.o src/sbearssl/sbearssl_ec_pkey_from.o src/sbearssl/sbearssl_ec_pkey_to.o src/sbearssl/sbearssl_ec_skey_from.o src/sbearssl/sbearssl_ec_skey_to.o src/sbearssl/sbearssl_error_str.o src/sbearssl/sbearssl_isder.o src/sbearssl/sbearssl_pem_decode_from_buffer.o src/sbearssl/sbearssl_pem_decode_from_string.o src/sbearssl/sbearssl_pem_push.o src/sbearssl/sbearssl_pkey_from.o src/sbearssl/sbearssl_pkey_to.o src/sbearssl/sbearssl_rsa_pkey_from.o src/sbearssl/sbearssl_rsa_pkey_to.o src/sbearssl/sbearssl_rsa_skey_from.o src/sbearssl/sbearssl_rsa_skey_to.o src/sbearssl/sbearssl_run.o src/sbearssl/sbearssl_skey_from.o src/sbearssl/sbearssl_skey_readfile.o src/sbearssl/sbearssl_skey_to.o src/sbearssl/sbearssl_ta_cert.o src/sbearssl/sbearssl_ta_certs.o src/sbearssl/sbearssl_ta_from.o src/sbearssl/sbearssl_ta_readdir.o src/sbearssl/sbearssl_ta_readfile.o src/sbearssl/sbearssl_ta_to.o src/sbearssl/sbearssl_x500_name_len.o src/sbearssl/sbearssl_x500_from_ta.o src/sbearssl/sbearssl_x509_minimal_set_tai.o src/sbearssl/sbearssl_client_init_and_run.o src/sbearssl/sbearssl_server_init_and_run.o
+libsbearssl.a.xyzzy: src/sbearssl/sbearssl_append.o src/sbearssl/sbearssl_cert_from.o src/sbearssl/sbearssl_cert_readbigpem.o src/sbearssl/sbearssl_cert_readfile.o src/sbearssl/sbearssl_cert_to.o src/sbearssl/sbearssl_drop.o src/sbearssl/sbearssl_ec_issuer_keytype.o src/sbearssl/sbearssl_ec_pkey_from.o src/sbearssl/sbearssl_ec_pkey_to.o src/sbearssl/sbearssl_ec_skey_from.o src/sbearssl/sbearssl_ec_skey_to.o src/sbearssl/sbearssl_error_str.o src/sbearssl/sbearssl_isder.o src/sbearssl/sbearssl_pem_decode_from_buffer.o src/sbearssl/sbearssl_pem_decode_from_string.o src/sbearssl/sbearssl_pem_push.o src/sbearssl/sbearssl_pkey_from.o src/sbearssl/sbearssl_pkey_to.o src/sbearssl/sbearssl_rsa_pkey_from.o src/sbearssl/sbearssl_rsa_pkey_to.o src/sbearssl/sbearssl_rsa_skey_from.o src/sbearssl/sbearssl_rsa_skey_to.o src/sbearssl/sbearssl_run.o src/sbearssl/sbearssl_skey_from.o src/sbearssl/sbearssl_skey_readfile.o src/sbearssl/sbearssl_skey_to.o src/sbearssl/sbearssl_ta_cert.o src/sbearssl/sbearssl_ta_certs.o src/sbearssl/sbearssl_ta_from.o src/sbearssl/sbearssl_ta_readdir.o src/sbearssl/sbearssl_ta_readfile.o src/sbearssl/sbearssl_ta_to.o src/sbearssl/sbearssl_x500_name_len.o src/sbearssl/sbearssl_x500_from_ta.o src/sbearssl/sbearssl_x509_minimal_set_tai.o src/sbearssl/sbearssl_client_init_and_run.o src/sbearssl/sbearssl_server_init_and_run.o
 else
-libsbearssl.a.xyzzy: src/sbearssl/sbearssl_append.lo src/sbearssl/sbearssl_cert_from.lo src/sbearssl/sbearssl_cert_readbigpem.lo src/sbearssl/sbearssl_cert_readfile.lo src/sbearssl/sbearssl_cert_to.lo src/sbearssl/sbearssl_ec_issuer_keytype.lo src/sbearssl/sbearssl_ec_pkey_from.lo src/sbearssl/sbearssl_ec_pkey_to.lo src/sbearssl/sbearssl_ec_skey_from.lo src/sbearssl/sbearssl_ec_skey_to.lo src/sbearssl/sbearssl_error_str.lo src/sbearssl/sbearssl_isder.lo src/sbearssl/sbearssl_pem_decode_from_buffer.lo src/sbearssl/sbearssl_pem_decode_from_string.lo src/sbearssl/sbearssl_pem_push.lo src/sbearssl/sbearssl_pkey_from.lo src/sbearssl/sbearssl_pkey_to.lo src/sbearssl/sbearssl_rsa_pkey_from.lo src/sbearssl/sbearssl_rsa_pkey_to.lo src/sbearssl/sbearssl_rsa_skey_from.lo src/sbearssl/sbearssl_rsa_skey_to.lo src/sbearssl/sbearssl_run.lo src/sbearssl/sbearssl_skey_from.lo src/sbearssl/sbearssl_skey_readfile.lo src/sbearssl/sbearssl_skey_to.lo src/sbearssl/sbearssl_ta_cert.lo src/sbearssl/sbearssl_ta_certs.lo src/sbearssl/sbearssl_ta_from.lo src/sbearssl/sbearssl_ta_readdir.lo src/sbearssl/sbearssl_ta_readfile.lo src/sbearssl/sbearssl_ta_to.lo src/sbearssl/sbearssl_x500_name_len.lo src/sbearssl/sbearssl_x500_from_ta.lo src/sbearssl/sbearssl_x509_minimal_set_tai.lo src/sbearssl/sbearssl_client_init_and_run.lo src/sbearssl/sbearssl_server_init_and_run.lo
+libsbearssl.a.xyzzy: src/sbearssl/sbearssl_append.lo src/sbearssl/sbearssl_cert_from.lo src/sbearssl/sbearssl_cert_readbigpem.lo src/sbearssl/sbearssl_cert_readfile.lo src/sbearssl/sbearssl_cert_to.lo src/sbearssl/sbearssl_drop.lo src/sbearssl/sbearssl_ec_issuer_keytype.lo src/sbearssl/sbearssl_ec_pkey_from.lo src/sbearssl/sbearssl_ec_pkey_to.lo src/sbearssl/sbearssl_ec_skey_from.lo src/sbearssl/sbearssl_ec_skey_to.lo src/sbearssl/sbearssl_error_str.lo src/sbearssl/sbearssl_isder.lo src/sbearssl/sbearssl_pem_decode_from_buffer.lo src/sbearssl/sbearssl_pem_decode_from_string.lo src/sbearssl/sbearssl_pem_push.lo src/sbearssl/sbearssl_pkey_from.lo src/sbearssl/sbearssl_pkey_to.lo src/sbearssl/sbearssl_rsa_pkey_from.lo src/sbearssl/sbearssl_rsa_pkey_to.lo src/sbearssl/sbearssl_rsa_skey_from.lo src/sbearssl/sbearssl_rsa_skey_to.lo src/sbearssl/sbearssl_run.lo src/sbearssl/sbearssl_skey_from.lo src/sbearssl/sbearssl_skey_readfile.lo src/sbearssl/sbearssl_skey_to.lo src/sbearssl/sbearssl_ta_cert.lo src/sbearssl/sbearssl_ta_certs.lo src/sbearssl/sbearssl_ta_from.lo src/sbearssl/sbearssl_ta_readdir.lo src/sbearssl/sbearssl_ta_readfile.lo src/sbearssl/sbearssl_ta_to.lo src/sbearssl/sbearssl_x500_name_len.lo src/sbearssl/sbearssl_x500_from_ta.lo src/sbearssl/sbearssl_x509_minimal_set_tai.lo src/sbearssl/sbearssl_client_init_and_run.lo src/sbearssl/sbearssl_server_init_and_run.lo
 endif
 libsbearssl.so.xyzzy: EXTRA_LIBS := -lbearssl -lskarnet
-libsbearssl.so.xyzzy: src/sbearssl/sbearssl_append.lo src/sbearssl/sbearssl_cert_from.lo src/sbearssl/sbearssl_cert_readbigpem.lo src/sbearssl/sbearssl_cert_readfile.lo src/sbearssl/sbearssl_cert_to.lo src/sbearssl/sbearssl_ec_issuer_keytype.lo src/sbearssl/sbearssl_ec_pkey_from.lo src/sbearssl/sbearssl_ec_pkey_to.lo src/sbearssl/sbearssl_ec_skey_from.lo src/sbearssl/sbearssl_ec_skey_to.lo src/sbearssl/sbearssl_error_str.lo src/sbearssl/sbearssl_isder.lo src/sbearssl/sbearssl_pem_decode_from_buffer.lo src/sbearssl/sbearssl_pem_decode_from_string.lo src/sbearssl/sbearssl_pem_push.lo src/sbearssl/sbearssl_pkey_from.lo src/sbearssl/sbearssl_pkey_to.lo src/sbearssl/sbearssl_rsa_pkey_from.lo src/sbearssl/sbearssl_rsa_pkey_to.lo src/sbearssl/sbearssl_rsa_skey_from.lo src/sbearssl/sbearssl_rsa_skey_to.lo src/sbearssl/sbearssl_run.lo src/sbearssl/sbearssl_skey_from.lo src/sbearssl/sbearssl_skey_readfile.lo src/sbearssl/sbearssl_skey_to.lo src/sbearssl/sbearssl_ta_cert.lo src/sbearssl/sbearssl_ta_certs.lo src/sbearssl/sbearssl_ta_from.lo src/sbearssl/sbearssl_ta_readdir.lo src/sbearssl/sbearssl_ta_readfile.lo src/sbearssl/sbearssl_ta_to.lo src/sbearssl/sbearssl_x500_name_len.lo src/sbearssl/sbearssl_x500_from_ta.lo src/sbearssl/sbearssl_x509_minimal_set_tai.lo src/sbearssl/sbearssl_client_init_and_run.lo src/sbearssl/sbearssl_server_init_and_run.lo
+libsbearssl.so.xyzzy: src/sbearssl/sbearssl_append.lo src/sbearssl/sbearssl_cert_from.lo src/sbearssl/sbearssl_cert_readbigpem.lo src/sbearssl/sbearssl_cert_readfile.lo src/sbearssl/sbearssl_cert_to.lo src/sbearssl/sbearssl_drop.lo src/sbearssl/sbearssl_ec_issuer_keytype.lo src/sbearssl/sbearssl_ec_pkey_from.lo src/sbearssl/sbearssl_ec_pkey_to.lo src/sbearssl/sbearssl_ec_skey_from.lo src/sbearssl/sbearssl_ec_skey_to.lo src/sbearssl/sbearssl_error_str.lo src/sbearssl/sbearssl_isder.lo src/sbearssl/sbearssl_pem_decode_from_buffer.lo src/sbearssl/sbearssl_pem_decode_from_string.lo src/sbearssl/sbearssl_pem_push.lo src/sbearssl/sbearssl_pkey_from.lo src/sbearssl/sbearssl_pkey_to.lo src/sbearssl/sbearssl_rsa_pkey_from.lo src/sbearssl/sbearssl_rsa_pkey_to.lo src/sbearssl/sbearssl_rsa_skey_from.lo src/sbearssl/sbearssl_rsa_skey_to.lo src/sbearssl/sbearssl_run.lo src/sbearssl/sbearssl_skey_from.lo src/sbearssl/sbearssl_skey_readfile.lo src/sbearssl/sbearssl_skey_to.lo src/sbearssl/sbearssl_ta_cert.lo src/sbearssl/sbearssl_ta_certs.lo src/sbearssl/sbearssl_ta_from.lo src/sbearssl/sbearssl_ta_readdir.lo src/sbearssl/sbearssl_ta_readfile.lo src/sbearssl/sbearssl_ta_to.lo src/sbearssl/sbearssl_x500_name_len.lo src/sbearssl/sbearssl_x500_from_ta.lo src/sbearssl/sbearssl_x509_minimal_set_tai.lo src/sbearssl/sbearssl_client_init_and_run.lo src/sbearssl/sbearssl_server_init_and_run.lo
 ifeq ($(strip $(STATIC_LIBS_ARE_PIC)),)
-libstls.a.xyzzy: src/stls/stls_run.o src/stls/stls_client_init_and_handshake.o src/stls/stls_server_init_and_handshake.o
+libstls.a.xyzzy: src/stls/stls_drop.o src/stls/stls_run.o src/stls/stls_client_init_and_handshake.o src/stls/stls_server_init_and_handshake.o
 else
-libstls.a.xyzzy: src/stls/stls_run.lo src/stls/stls_client_init_and_handshake.lo src/stls/stls_server_init_and_handshake.lo
+libstls.a.xyzzy: src/stls/stls_drop.lo src/stls/stls_run.lo src/stls/stls_client_init_and_handshake.lo src/stls/stls_server_init_and_handshake.lo
 endif
 libstls.so.xyzzy: EXTRA_LIBS := ${CRYPTO_LIB} -lskarnet
-libstls.so.xyzzy: src/stls/stls_run.lo src/stls/stls_client_init_and_handshake.lo src/stls/stls_server_init_and_handshake.lo
+libstls.so.xyzzy: src/stls/stls_drop.lo src/stls/stls_run.lo src/stls/stls_client_init_and_handshake.lo src/stls/stls_server_init_and_handshake.lo
diff --git a/src/conn-tools/deps-lib/s6tls b/src/conn-tools/deps-lib/s6tls
index ad78cfd..ce4f507 100644
--- a/src/conn-tools/deps-lib/s6tls
+++ b/src/conn-tools/deps-lib/s6tls
@@ -1,4 +1,3 @@
-s6tls_drop.o
 s6tls_exec_tlscio.o
 s6tls_exec_tlsdio.o
 s6tls_wait_and_exec_app.o
diff --git a/src/conn-tools/s6-tlsc.c b/src/conn-tools/s6-tlsc.c
index 6431ccb..5a15315 100644
--- a/src/conn-tools/s6-tlsc.c
+++ b/src/conn-tools/s6-tlsc.c
@@ -21,7 +21,6 @@ static void child (int const p[3][2], int fdr, int fdw, uint32_t options, unsign
 {
   int fds[3] = { p[0][0], p[1][1], p[2][1] } ;
   PROG = "s6-tlsc (child)" ;
-  s6tls_drop() ;
   close(p[2][0]) ;
   close(p[0][1]) ;
   close(p[1][0]) ;
diff --git a/src/conn-tools/s6-tlsd.c b/src/conn-tools/s6-tlsd.c
index e26ba49..e048a49 100644
--- a/src/conn-tools/s6-tlsd.c
+++ b/src/conn-tools/s6-tlsd.c
@@ -23,7 +23,6 @@ static void child (int const p[3][2], uint32_t options, unsigned int verbosity,
   close(p[2][0]) ;
   close(p[0][1]) ;
   close(p[1][0]) ;
-  s6tls_drop() ;
   s6tls_exec_tlsdio(fds, options, verbosity, kimeout) ;
 }
 
diff --git a/src/conn-tools/s6-ucspitlsd.c b/src/conn-tools/s6-ucspitlsd.c
index ae2ca41..2ce24ba 100644
--- a/src/conn-tools/s6-ucspitlsd.c
+++ b/src/conn-tools/s6-ucspitlsd.c
@@ -29,7 +29,6 @@ static inline void child (int p[3][2], uint32_t options, unsigned int verbosity,
   close(p[2][0]) ;
   close(p[0][1]) ;
   close(p[1][0]) ;
-  s6tls_drop() ;
   r = read(p[2][1], &c, 1) ;
   if (r < 0) strerr_diefu1sys(111, "read from control socket") ;
   if (!r) _exit(0) ;
diff --git a/src/conn-tools/s6tls-internal.h b/src/conn-tools/s6tls-internal.h
index 48df60f..be22e25 100644
--- a/src/conn-tools/s6tls-internal.h
+++ b/src/conn-tools/s6tls-internal.h
@@ -10,7 +10,6 @@
 
 #define s6tls_envvars "CADIR\0CAFILE\0KEYFILE\0CERTFILE\0TLS_UID\0TLS_GID"
 
-extern void s6tls_drop (void) ;
 extern void s6tls_exec_tlscio (int const *, uint32_t, unsigned int, unsigned int, char const *) gccattr_noreturn ;
 extern void s6tls_exec_tlsdio (int const *, uint32_t, unsigned int, unsigned int) gccattr_noreturn ;
 extern void s6tls_wait_and_exec_app (char const *const *, int const [3][2], pid_t, int, int, uint32_t) gccattr_noreturn ;
diff --git a/src/sbearssl/deps-lib/sbearssl b/src/sbearssl/deps-lib/sbearssl
index 55729f6..13df389 100644
--- a/src/sbearssl/deps-lib/sbearssl
+++ b/src/sbearssl/deps-lib/sbearssl
@@ -3,6 +3,7 @@ sbearssl_cert_from.o
 sbearssl_cert_readbigpem.o
 sbearssl_cert_readfile.o
 sbearssl_cert_to.o
+sbearssl_drop.o
 sbearssl_ec_issuer_keytype.o
 sbearssl_ec_pkey_from.o
 sbearssl_ec_pkey_to.o
diff --git a/src/sbearssl/sbearssl-internal.h b/src/sbearssl/sbearssl-internal.h
index 25f6468..2d98680 100644
--- a/src/sbearssl/sbearssl-internal.h
+++ b/src/sbearssl/sbearssl-internal.h
@@ -17,6 +17,7 @@ struct sbearssl_strallocerr_s
   int err ;
 } ;
 
+extern void sbearssl_drop (void) ;
 extern void sbearssl_append (void *, void const *, size_t) ;
 extern int sbearssl_pem_push (br_pem_decoder_context *, char const *, size_t, sbearssl_pemobject *, genalloc *, sbearssl_strallocerr *, int *) ;
 
diff --git a/src/sbearssl/sbearssl_client_init_and_run.c b/src/sbearssl/sbearssl_client_init_and_run.c
index a95e9e1..a6e7aca 100644
--- a/src/sbearssl/sbearssl_client_init_and_run.c
+++ b/src/sbearssl/sbearssl_client_init_and_run.c
@@ -44,6 +44,8 @@ void sbearssl_client_init_and_run (int *fds, tain_t const *tto, uint32_t preopti
       strerr_dief2x(96, "no trust anchor found in ", x) ;
   }
 
+  sbearssl_drop() ;
+
   {
     sbearssl_handshake_cb_context_t cbarg = { .notif = notif } ;
     unsigned char buf[BR_SSL_BUFSIZE_BIDI] ;
diff --git a/src/sbearssl/sbearssl_drop.c b/src/sbearssl/sbearssl_drop.c
new file mode 100644
index 0000000..2d826af
--- /dev/null
+++ b/src/sbearssl/sbearssl_drop.c
@@ -0,0 +1,24 @@
+/* ISC license. */
+
+#include <unistd.h>
+#include <stdlib.h>
+
+#include <skalibs/strerr2.h>
+#include <skalibs/types.h>
+
+#include "sbearssl-internal.h"
+
+void sbearssl_drop (void)
+{
+  if (!getuid())
+  {
+    uid_t uid ;
+    gid_t gid ;
+    char const *x = getenv("TLS_UID") ;
+    if (x && !uid0_scan(x, &uid)) strerr_dieinvalid(100, "TLS_UID") ;
+    x = getenv("TLS_GID") ;
+    if (x && !gid0_scan(x, &gid)) strerr_dieinvalid(100, "TLS_GID") ;
+    if (gid && setgid(gid) < 0) strerr_diefu1sys(111, "setgid") ;
+    if (uid && setuid(uid) < 0) strerr_diefu1sys(111, "setuid") ;
+  }
+}
diff --git a/src/sbearssl/sbearssl_server_init_and_run.c b/src/sbearssl/sbearssl_server_init_and_run.c
index 778fdbd..629fafb 100644
--- a/src/sbearssl/sbearssl_server_init_and_run.c
+++ b/src/sbearssl/sbearssl_server_init_and_run.c
@@ -45,6 +45,8 @@ void sbearssl_server_init_and_run (int *fds, tain_t const *tto, uint32_t preopti
       strerr_diefu2x(96, "find a certificate in ", x) ;
   }
 
+  sbearssl_drop() ;
+
   {
     sbearssl_handshake_cb_context_t cbarg = { .notif = notif } ;
     unsigned char buf[BR_SSL_BUFSIZE_BIDI] ;
diff --git a/src/stls/deps-lib/stls b/src/stls/deps-lib/stls
index 61137c5..9416332 100644
--- a/src/stls/deps-lib/stls
+++ b/src/stls/deps-lib/stls
@@ -1,3 +1,4 @@
+stls_drop.o
 stls_run.o
 stls_client_init_and_handshake.o
 stls_server_init_and_handshake.o
diff --git a/src/stls/stls-internal.h b/src/stls/stls-internal.h
index d5c59e7..afe7a80 100644
--- a/src/stls/stls-internal.h
+++ b/src/stls/stls-internal.h
@@ -3,9 +3,6 @@
 #ifndef STLS_INTERNAL_H
 #define STLS_INTERNAL_H
 
-#include <sys/types.h>
-#include <stdint.h>
-
-extern pid_t stls_prep_spawn_drop (char const *const *, char const *const *, int *, uid_t, gid_t, uint32_t) ;
+extern void stls_drop (void) ;
 
 #endif
diff --git a/src/stls/stls_client_init_and_handshake.c b/src/stls/stls_client_init_and_handshake.c
index e207d8c..50898ea 100644
--- a/src/stls/stls_client_init_and_handshake.c
+++ b/src/stls/stls_client_init_and_handshake.c
@@ -52,6 +52,8 @@ struct tls *stls_client_init_and_handshake (int const *fds, uint32_t preoptions,
       diecfg(cfg, "tls_config_set_key_file") ;
   }
 
+  stls_drop() ;
+
   if (tls_config_set_ciphers(cfg, "secure") < 0)
     diecfg(cfg, "tls_config_set_ciphers") ;
 
diff --git a/src/conn-tools/s6tls_drop.c b/src/stls/stls_drop.c
index 6b6f67f..d1e6831 100644
--- a/src/conn-tools/s6tls_drop.c
+++ b/src/stls/stls_drop.c
@@ -6,9 +6,9 @@
 #include <skalibs/strerr2.h>
 #include <skalibs/types.h>
 
-#include "s6tls-internal.h"
+#include "stls-internal.h"
 
-void s6tls_drop (void)
+void stls_drop (void)
 {
   if (!getuid())
   {
diff --git a/src/stls/stls_server_init_and_handshake.c b/src/stls/stls_server_init_and_handshake.c
index 58d812e..5d9c25c 100644
--- a/src/stls/stls_server_init_and_handshake.c
+++ b/src/stls/stls_server_init_and_handshake.c
@@ -33,6 +33,8 @@ struct tls *stls_server_init_and_handshake (int const *fds, uint32_t preoptions)
   if (tls_config_set_key_file(cfg, x) < 0)
     diecfg(cfg, "tls_config_set_key_file") ;
 
+  stls_drop() ;
+
   if (tls_config_set_ciphers(cfg, "secure") < 0)
     diecfg(cfg, "tls_config_set_ciphers") ;
author	Laurent Bercot <ska-skaware@skarnet.org>	2020-11-21 02:22:09 +0000
committer	Laurent Bercot <ska-skaware@skarnet.org>	2020-11-21 02:22:09 +0000
commit	5c2880becc94141b8035b3488b6bd60696011308 (patch)
tree	51e177122b50e248075dae441e4a76d68fd33081
parent	5715c21a077ee1c2fe8957cb4adcea14fd2eda6b (diff)
download	s6-networking-5c2880becc94141b8035b3488b6bd60696011308.tar.xz