Privs can only be dropped after reading key files.

author: Laurent Bercot <ska-skaware@skarnet.org> 2020-11-21 02:22:09 +0000
committer: Laurent Bercot <ska-skaware@skarnet.org> 2020-11-21 02:22:09 +0000
commit: 5c2880becc94141b8035b3488b6bd60696011308 (patch)
tree: 51e177122b50e248075dae441e4a76d68fd33081 /src/stls
parent: 5715c21a077ee1c2fe8957cb4adcea14fd2eda6b (diff)
download: s6-networking-5c2880becc94141b8035b3488b6bd60696011308.tar.xz
5 files changed, 30 insertions, 4 deletions
diff --git a/src/stls/deps-lib/stls b/src/stls/deps-lib/stls
index 61137c5..9416332 100644
--- a/src/stls/deps-lib/stls
+++ b/src/stls/deps-lib/stls
@@ -1,3 +1,4 @@
+stls_drop.o
 stls_run.o
 stls_client_init_and_handshake.o
 stls_server_init_and_handshake.o
diff --git a/src/stls/stls-internal.h b/src/stls/stls-internal.h
index d5c59e7..afe7a80 100644
--- a/src/stls/stls-internal.h
+++ b/src/stls/stls-internal.h
@@ -3,9 +3,6 @@
 #ifndef STLS_INTERNAL_H
 #define STLS_INTERNAL_H
 
-#include <sys/types.h>
-#include <stdint.h>
-
-extern pid_t stls_prep_spawn_drop (char const *const *, char const *const *, int *, uid_t, gid_t, uint32_t) ;
+extern void stls_drop (void) ;
 
 #endif
diff --git a/src/stls/stls_client_init_and_handshake.c b/src/stls/stls_client_init_and_handshake.c
index e207d8c..50898ea 100644
--- a/src/stls/stls_client_init_and_handshake.c
+++ b/src/stls/stls_client_init_and_handshake.c
@@ -52,6 +52,8 @@ struct tls *stls_client_init_and_handshake (int const *fds, uint32_t preoptions,
       diecfg(cfg, "tls_config_set_key_file") ;
   }
 
+  stls_drop() ;
+
   if (tls_config_set_ciphers(cfg, "secure") < 0)
     diecfg(cfg, "tls_config_set_ciphers") ;
 
diff --git a/src/stls/stls_drop.c b/src/stls/stls_drop.c
new file mode 100644
index 0000000..d1e6831
--- /dev/null
+++ b/src/stls/stls_drop.c
@@ -0,0 +1,24 @@
+/* ISC license. */
+
+#include <unistd.h>
+#include <stdlib.h>
+
+#include <skalibs/strerr2.h>
+#include <skalibs/types.h>
+
+#include "stls-internal.h"
+
+void stls_drop (void)
+{
+  if (!getuid())
+  {
+    uid_t uid ;
+    gid_t gid ;
+    char const *x = getenv("TLS_UID") ;
+    if (x && !uid0_scan(x, &uid)) strerr_dieinvalid(100, "TLS_UID") ;
+    x = getenv("TLS_GID") ;
+    if (x && !gid0_scan(x, &gid)) strerr_dieinvalid(100, "TLS_GID") ;
+    if (gid && setgid(gid) < 0) strerr_diefu1sys(111, "setgid") ;
+    if (uid && setuid(uid) < 0) strerr_diefu1sys(111, "setuid") ;
+  }
+}
diff --git a/src/stls/stls_server_init_and_handshake.c b/src/stls/stls_server_init_and_handshake.c
index 58d812e..5d9c25c 100644
--- a/src/stls/stls_server_init_and_handshake.c
+++ b/src/stls/stls_server_init_and_handshake.c
@@ -33,6 +33,8 @@ struct tls *stls_server_init_and_handshake (int const *fds, uint32_t preoptions)
   if (tls_config_set_key_file(cfg, x) < 0)
     diecfg(cfg, "tls_config_set_key_file") ;
 
+  stls_drop() ;
+
   if (tls_config_set_ciphers(cfg, "secure") < 0)
     diecfg(cfg, "tls_config_set_ciphers") ;
author	Laurent Bercot <ska-skaware@skarnet.org>	2020-11-21 02:22:09 +0000
committer	Laurent Bercot <ska-skaware@skarnet.org>	2020-11-21 02:22:09 +0000
commit	5c2880becc94141b8035b3488b6bd60696011308 (patch)
tree	51e177122b50e248075dae441e4a76d68fd33081 /src/stls
parent	5715c21a077ee1c2fe8957cb4adcea14fd2eda6b (diff)
download	s6-networking-5c2880becc94141b8035b3488b6bd60696011308.tar.xz