From 1c813d70945b6a18676ad9846ac9cd6543adc971 Mon Sep 17 00:00:00 2001 From: Jeremy Groven Date: Tue, 6 Jul 2021 16:37:15 -0500 Subject: [PATCH] Add -uid and -uid flags to drop permissions yggdrasil seems to prefer to run as a privileged user, but it also seems to work fine if permissions are dropped after the socket initialization is performed. This adds -uid and -gid flags so that an instance run with root perms can drop them once it's ready. --- cmd/yggdrasil/main.go | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/cmd/yggdrasil/main.go b/cmd/yggdrasil/main.go index d6d0d1a65..46746fd40 100644 --- a/cmd/yggdrasil/main.go +++ b/cmd/yggdrasil/main.go @@ -193,6 +193,8 @@ type yggArgs struct { getaddr bool getsnet bool loglevel string + runuid int + rungid int } func getArgs() yggArgs { @@ -207,7 +209,10 @@ func getArgs() yggArgs { getaddr := flag.Bool("address", false, "returns the IPv6 address as derived from the supplied configuration") getsnet := flag.Bool("subnet", false, "returns the IPv6 subnet as derived from the supplied configuration") loglevel := flag.String("loglevel", "info", "loglevel to enable") + runuid := flag.Int("uid", -1, "drop privileges to this user id") + rungid := flag.Int("gid", -1, "drop privileges to this group id") flag.Parse() + return yggArgs{ genconf: *genconf, useconf: *useconf, @@ -220,6 +225,8 @@ func getArgs() yggArgs { getaddr: *getaddr, getsnet: *getsnet, loglevel: *loglevel, + runuid: *runuid, + rungid: *rungid, } } @@ -364,6 +371,17 @@ func run(args yggArgs, ctx context.Context, done chan struct{}) { address := n.core.Address() subnet := n.core.Subnet() public := n.core.GetSelf().Key + // Lower permissions from root to something else, if the user wants to + if syscall.Getuid() == 0 { + if args.rungid > 0 { + fmt.Println("Dropping gid to ", args.rungid) + syscall.Setgid(args.rungid) + } + if args.runuid > 0 { + fmt.Println("Dropping uid to ", args.rungid) + syscall.Setuid(args.runuid) + } + } logger.Infof("Your public key is %s", hex.EncodeToString(public[:])) logger.Infof("Your IPv6 address is %s", address.String()) logger.Infof("Your IPv6 subnet is %s", subnet.String())