Skip to content
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 24 additions & 0 deletions cmd/yggdrasil/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -194,6 +194,8 @@ type yggArgs struct {
getaddr bool
getsnet bool
loglevel string
runuid int
rungid int
}

func getArgs() yggArgs {
Expand All @@ -208,7 +210,10 @@ func getArgs() yggArgs {
getaddr := flag.Bool("address", false, "returns the IPv6 address as derived from the supplied configuration")
getsnet := flag.Bool("subnet", false, "returns the IPv6 subnet as derived from the supplied configuration")
loglevel := flag.String("loglevel", "info", "loglevel to enable")
runuid := flag.Int("uid", -1, "drop privileges to this user id")
rungid := flag.Int("gid", -1, "drop privileges to this group id")
flag.Parse()

return yggArgs{
genconf: *genconf,
useconf: *useconf,
Expand All @@ -221,6 +226,8 @@ func getArgs() yggArgs {
getaddr: *getaddr,
getsnet: *getsnet,
loglevel: *loglevel,
runuid: *runuid,
rungid: *rungid,
}
}

Expand Down Expand Up @@ -366,6 +373,23 @@ func run(args yggArgs, ctx context.Context, done chan struct{}) {
address := n.core.Address()
subnet := n.core.Subnet()
public := n.core.GetSelf().Key
// Lower permissions from root to something else, if the user wants to
if syscall.Getuid() == 0 {
if args.rungid > 0 {
logger.Infoln("Setting gid to:", args.rungid)
if err := setgid(args.rungid); err != nil {
logger.Errorln("Failed to set gid:", err)
return
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

instead of simply returning, you likely want to abort() here.

Not being able to change gid/uid (or egid/euid) is not a failure you should ignore and then simply continue running.

}
}
if args.runuid > 0 {
logger.Infoln("Setting uid to:", args.runuid)
if err := setuid(args.runuid); err != nil {
logger.Errorln("Failed to set uid:", err)
return
}
}
}
logger.Infof("Your public key is %s", hex.EncodeToString(public[:]))
logger.Infof("Your IPv6 address is %s", address.String())
logger.Infof("Your IPv6 subnet is %s", subnet.String())
Expand Down
13 changes: 13 additions & 0 deletions cmd/yggdrasil/setids_other.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
// +build !aix,!darwin,!dragonfly,!freebsd,!linux,!netbsd,!openbsd,!solaris

package main

import "errors"

func setuid(uid int) error {
return errors.New("setting uid not supported on this platform")
}

func setgid(gid int) error {
return errors.New("setting gid not supported on this platform")
}
13 changes: 13 additions & 0 deletions cmd/yggdrasil/setids_unix.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
// +build aix darwin dragonfly freebsd linux netbsd openbsd solaris

package main

import "syscall"

func setuid(uid int) error {
return syscall.Setuid(uid)
}

func setgid(gid int) error {
return syscall.Setgid(gid)
}