diff options
author | Laurent Bercot <ska-skaware@skarnet.org> | 2020-11-21 02:22:09 +0000 |
---|---|---|
committer | Laurent Bercot <ska-skaware@skarnet.org> | 2020-11-21 02:22:09 +0000 |
commit | 5c2880becc94141b8035b3488b6bd60696011308 (patch) | |
tree | 51e177122b50e248075dae441e4a76d68fd33081 /src/conn-tools | |
parent | 5715c21a077ee1c2fe8957cb4adcea14fd2eda6b (diff) | |
download | s6-networking-5c2880becc94141b8035b3488b6bd60696011308.tar.xz |
Privs can only be dropped after reading key files.
Diffstat (limited to 'src/conn-tools')
-rw-r--r-- | src/conn-tools/deps-lib/s6tls | 1 | ||||
-rw-r--r-- | src/conn-tools/s6-tlsc.c | 1 | ||||
-rw-r--r-- | src/conn-tools/s6-tlsd.c | 1 | ||||
-rw-r--r-- | src/conn-tools/s6-ucspitlsd.c | 1 | ||||
-rw-r--r-- | src/conn-tools/s6tls-internal.h | 1 | ||||
-rw-r--r-- | src/conn-tools/s6tls_drop.c | 24 |
6 files changed, 0 insertions, 29 deletions
diff --git a/src/conn-tools/deps-lib/s6tls b/src/conn-tools/deps-lib/s6tls index ad78cfd..ce4f507 100644 --- a/src/conn-tools/deps-lib/s6tls +++ b/src/conn-tools/deps-lib/s6tls @@ -1,4 +1,3 @@ -s6tls_drop.o s6tls_exec_tlscio.o s6tls_exec_tlsdio.o s6tls_wait_and_exec_app.o diff --git a/src/conn-tools/s6-tlsc.c b/src/conn-tools/s6-tlsc.c index 6431ccb..5a15315 100644 --- a/src/conn-tools/s6-tlsc.c +++ b/src/conn-tools/s6-tlsc.c @@ -21,7 +21,6 @@ static void child (int const p[3][2], int fdr, int fdw, uint32_t options, unsign { int fds[3] = { p[0][0], p[1][1], p[2][1] } ; PROG = "s6-tlsc (child)" ; - s6tls_drop() ; close(p[2][0]) ; close(p[0][1]) ; close(p[1][0]) ; diff --git a/src/conn-tools/s6-tlsd.c b/src/conn-tools/s6-tlsd.c index e26ba49..e048a49 100644 --- a/src/conn-tools/s6-tlsd.c +++ b/src/conn-tools/s6-tlsd.c @@ -23,7 +23,6 @@ static void child (int const p[3][2], uint32_t options, unsigned int verbosity, close(p[2][0]) ; close(p[0][1]) ; close(p[1][0]) ; - s6tls_drop() ; s6tls_exec_tlsdio(fds, options, verbosity, kimeout) ; } diff --git a/src/conn-tools/s6-ucspitlsd.c b/src/conn-tools/s6-ucspitlsd.c index ae2ca41..2ce24ba 100644 --- a/src/conn-tools/s6-ucspitlsd.c +++ b/src/conn-tools/s6-ucspitlsd.c @@ -29,7 +29,6 @@ static inline void child (int p[3][2], uint32_t options, unsigned int verbosity, close(p[2][0]) ; close(p[0][1]) ; close(p[1][0]) ; - s6tls_drop() ; r = read(p[2][1], &c, 1) ; if (r < 0) strerr_diefu1sys(111, "read from control socket") ; if (!r) _exit(0) ; diff --git a/src/conn-tools/s6tls-internal.h b/src/conn-tools/s6tls-internal.h index 48df60f..be22e25 100644 --- a/src/conn-tools/s6tls-internal.h +++ b/src/conn-tools/s6tls-internal.h @@ -10,7 +10,6 @@ #define s6tls_envvars "CADIR\0CAFILE\0KEYFILE\0CERTFILE\0TLS_UID\0TLS_GID" -extern void s6tls_drop (void) ; extern void s6tls_exec_tlscio (int const *, uint32_t, unsigned int, unsigned int, char const *) gccattr_noreturn ; extern void s6tls_exec_tlsdio (int const *, uint32_t, unsigned int, unsigned int) gccattr_noreturn ; extern void s6tls_wait_and_exec_app (char const *const *, int const [3][2], pid_t, int, int, uint32_t) gccattr_noreturn ; diff --git a/src/conn-tools/s6tls_drop.c b/src/conn-tools/s6tls_drop.c deleted file mode 100644 index 6b6f67f..0000000 --- a/src/conn-tools/s6tls_drop.c +++ /dev/null @@ -1,24 +0,0 @@ -/* ISC license. */ - -#include <unistd.h> -#include <stdlib.h> - -#include <skalibs/strerr2.h> -#include <skalibs/types.h> - -#include "s6tls-internal.h" - -void s6tls_drop (void) -{ - if (!getuid()) - { - uid_t uid ; - gid_t gid ; - char const *x = getenv("TLS_UID") ; - if (x && !uid0_scan(x, &uid)) strerr_dieinvalid(100, "TLS_UID") ; - x = getenv("TLS_GID") ; - if (x && !gid0_scan(x, &gid)) strerr_dieinvalid(100, "TLS_GID") ; - if (gid && setgid(gid) < 0) strerr_diefu1sys(111, "setgid") ; - if (uid && setuid(uid) < 0) strerr_diefu1sys(111, "setuid") ; - } -} |