On Saturday, August 31, 2019 at 10:07:59 AM UTC+2, Chris Burkert wrote:
>
> is there some code available to dig into that? I plan to do something
> similar that a regular user process starts up a kind of a root broker which
> starts several other processes as different users.
>
You would by necessity have to launch a root process, which then degrades
to whichever user it should actually run as. It's a one-way operation, no
backsies :)
Digging through my vast mess of code, I found this function which sets the
real and effective user (Setreuid) of the calling process:
func DegradeToUser(uname string) error {
uid := syscall.Geteuid()
if uid == 0 {
u, err := user.Lookup(uname)
if err != nil {
return err
}
uid, err := strconv.Atoi(u.Uid)
if err != nil {
return err
}
gid, err := strconv.Atoi(u.Gid)
if err != nil {
return err
}
err = syscall.Setgid(gid)
if err != nil {
return err
}
err = syscall.Setreuid(-1, uid)
if err != nil {
return err
}
} else {
return errors.New(ErrorNotRoot)
}
return nil
}
An error string is the only thing missing (ErrorNotRoot), otherwise it
should be complete.
Especially for the communication part I don’t have a good and secure idea
> so far.
>
My hammer is gRPC if I need something with a little security. It's a bit
convoluted initially, but allows authenticating via certificates. If you're
running everything on one system there might be better ways,
--
You received this message because you are subscribed to the Google Groups
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to golang-nuts+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/golang-nuts/46eebc67-ed8f-4f48-b27c-a9af81d22ac8%40googlegroups.com.
