On Saturday, August 31, 2019 at 10:07:59 AM UTC+2, Chris Burkert wrote: > > is there some code available to dig into that? I plan to do something > similar that a regular user process starts up a kind of a root broker which > starts several other processes as different users. > You would by necessity have to launch a root process, which then degrades to whichever user it should actually run as. It's a one-way operation, no backsies :)
Digging through my vast mess of code, I found this function which sets the real and effective user (Setreuid) of the calling process: func DegradeToUser(uname string) error { uid := syscall.Geteuid() if uid == 0 { u, err := user.Lookup(uname) if err != nil { return err } uid, err := strconv.Atoi(u.Uid) if err != nil { return err } gid, err := strconv.Atoi(u.Gid) if err != nil { return err } err = syscall.Setgid(gid) if err != nil { return err } err = syscall.Setreuid(-1, uid) if err != nil { return err } } else { return errors.New(ErrorNotRoot) } return nil } An error string is the only thing missing (ErrorNotRoot), otherwise it should be complete. Especially for the communication part I don’t have a good and secure idea > so far. > My hammer is gRPC if I need something with a little security. It's a bit convoluted initially, but allows authenticating via certificates. If you're running everything on one system there might be better ways, -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/46eebc67-ed8f-4f48-b27c-a9af81d22ac8%40googlegroups.com.