diff options
Diffstat (limited to 'src/cmd/server.rs')
-rw-r--r-- | src/cmd/server.rs | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/src/cmd/server.rs b/src/cmd/server.rs index 6e98fe5..a6b8cff 100644 --- a/src/cmd/server.rs +++ b/src/cmd/server.rs @@ -35,6 +35,8 @@ impl crate::config::Config for Config { tls_identity_file, self.server.allowed_login_methods.clone(), self.oauth_configs.clone(), + self.server.uid, + self.server.gid, )? } else { create_server( @@ -43,6 +45,8 @@ impl crate::config::Config for Config { self.server.read_timeout, self.server.allowed_login_methods.clone(), self.oauth_configs.clone(), + self.server.uid, + self.server.gid, )? }; tokio::run(futures::future::lazy(move || { @@ -82,6 +86,8 @@ fn create_server( crate::protocol::AuthType, crate::oauth::Config, >, + uid: Option<users::uid_t>, + gid: Option<users::gid_t>, ) -> Result<( Box<dyn futures::future::Future<Item = (), Error = Error> + Send>, Box<dyn futures::future::Future<Item = (), Error = Error> + Send>, @@ -89,6 +95,7 @@ fn create_server( let (mut sock_w, sock_r) = tokio::sync::mpsc::channel(100); let listener = tokio::net::TcpListener::bind(&address) .context(crate::error::Bind { address })?; + drop_privs(uid, gid)?; let acceptor = listener .incoming() .context(crate::error::Acceptor) @@ -119,6 +126,8 @@ fn create_server_tls( crate::protocol::AuthType, crate::oauth::Config, >, + uid: Option<users::uid_t>, + gid: Option<users::gid_t>, ) -> Result<( Box<dyn futures::future::Future<Item = (), Error = Error> + Send>, Box<dyn futures::future::Future<Item = (), Error = Error> + Send>, @@ -126,6 +135,7 @@ fn create_server_tls( let (mut sock_w, sock_r) = tokio::sync::mpsc::channel(100); let listener = tokio::net::TcpListener::bind(&address) .context(crate::error::Bind { address })?; + drop_privs(uid, gid)?; let mut file = std::fs::File::open(tls_identity_file).context( crate::error::OpenFileSync { @@ -159,3 +169,18 @@ fn create_server_tls( ); Ok((Box::new(acceptor), Box::new(server))) } + +fn drop_privs( + uid: Option<users::uid_t>, + gid: Option<users::gid_t>, +) -> Result<()> { + if let Some(gid) = gid { + users::switch::set_effective_gid(gid) + .context(crate::error::SwitchGid)?; + } + if let Some(uid) = uid { + users::switch::set_effective_uid(uid) + .context(crate::error::SwitchUid)?; + } + Ok(()) +} |