Github/aralez
1
0
Fork 0
mirror of https://github.com/sadoyan/aralez.git synced 2026-04-29 22:38:36 +08:00
Code Issues Packages Projects Releases Wiki Activity

Fix drop privileges, check root

Browse Source
This commit is contained in:
Ara Sadoyan
2025-09-28 12:23:53 +02:00
parent b916b152ea
commit bd5fed9be0
2 changed files with 48 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
src/utils/tools.rs
View File

@@ -4,14 +4,19 @@ use crate::utils::tls::CertificateConfig;
use dashmap::DashMap; use dashmap::DashMap;
use log::{error, info}; use log::{error, info};
use notify::{event::ModifyKind, Config, EventKind, RecommendedWatcher, RecursiveMode, Watcher}; use notify::{event::ModifyKind, Config, EventKind, RecommendedWatcher, RecursiveMode, Watcher};
use port_check::is_port_reachable;
use privdrop::PrivDrop;
use sha2::{Digest, Sha256}; use sha2::{Digest, Sha256};
use std::any::type_name; use std::any::type_name;
use std::collections::{HashMap, HashSet}; use std::collections::{HashMap, HashSet};
use std::fmt::Write; use std::fmt::Write;
use std::fs; use std::net::SocketAddr;
use std::os::unix::fs::MetadataExt;
use std::str::FromStr;
use std::sync::atomic::AtomicUsize; use std::sync::atomic::AtomicUsize;
use std::sync::mpsc::{channel, Sender}; use std::sync::mpsc::{channel, Sender};
use std::time::{Duration, Instant}; use std::time::{Duration, Instant};
use std::{fs, process, thread, time};
#[allow(dead_code)] #[allow(dead_code)]
pub fn print_upstreams(upstreams: &UpstreamsDashMap) { pub fn print_upstreams(upstreams: &UpstreamsDashMap) {
@@ -221,3 +226,40 @@ pub fn watch_folder(path: String, sender: Sender<Vec<CertificateConfig>>) -> not
} }
} }
} }
pub fn drop_priv(user: String, group: String, http_addr: String, tls_addr: Option<String>) {
thread::sleep(time::Duration::from_millis(10));
loop {
thread::sleep(time::Duration::from_millis(10));
if is_port_reachable(http_addr.clone()) {
break;
}
}
if let Some(tls_addr) = tls_addr {
loop {
thread::sleep(time::Duration::from_millis(10));
if is_port_reachable(tls_addr.clone()) {
break;
}
}
}
info!("Dropping ROOT privileges to: {}:{}", user, group);
if let Err(e) = PrivDrop::default().user(user).group(group).apply() {
error!("Failed to drop privileges: {}", e);
process::exit(1)
}
}
pub fn check_priv(addr: String) {
let port = SocketAddr::from_str(&addr).map(|sa| sa.port()).unwrap();
match port < 1024 {
true => {
let meta = std::fs::metadata("/proc/self").map(|m| m.uid()).unwrap();
if meta != 0 {
error!("Running on privileged port requires to start as ROOT");
process::exit(1)
}
}
false => {}
}
}

44
src/web/start.rs
View File

@@ -12,13 +12,9 @@ use pingora::tls::ssl::{SslAlert, SslRef};
use pingora_core::listeners::tls::TlsSettings; use pingora_core::listeners::tls::TlsSettings;
use pingora_core::prelude::{background_service, Opt}; use pingora_core::prelude::{background_service, Opt};
use pingora_core::server::Server; use pingora_core::server::Server;
use port_check::is_port_reachable;
use privdrop::PrivDrop;
use std::os::unix::fs::MetadataExt;
use std::sync::mpsc::{channel, Receiver, Sender}; use std::sync::mpsc::{channel, Receiver, Sender};
use std::sync::Arc; use std::sync::Arc;
use std::{thread, time}; use std::thread;
pub fn run() { pub fn run() {
// default_provider().install_default().expect("Failed to install rustls crypto provider"); // default_provider().install_default().expect("Failed to install rustls crypto provider");
let parameters = Some(Opt::parse_args()).unwrap(); let parameters = Some(Opt::parse_args()).unwrap();
@@ -57,10 +53,13 @@ pub fn run() {
let bg_srvc = background_service("bgsrvc", lb.clone()); let bg_srvc = background_service("bgsrvc", lb.clone());
let mut proxy = pingora_proxy::http_proxy_service(&server.configuration, lb.clone()); let mut proxy = pingora_proxy::http_proxy_service(&server.configuration, lb.clone());
let bind_address_http = cfg.proxy_address_http.clone(); let bind_address_http = cfg.proxy_address_http.clone();
let bind_address_tls = cfg.proxy_address_tls.clone(); let bind_address_tls = cfg.proxy_address_tls.clone();
check_priv(bind_address_http.clone());
match bind_address_tls { match bind_address_tls {
Some(bind_address_tls) => { Some(bind_address_tls) => {
check_priv(bind_address_tls.clone());
let (tx, rx): (Sender<Vec<CertificateConfig>>, Receiver<Vec<CertificateConfig>>) = channel(); let (tx, rx): (Sender<Vec<CertificateConfig>>, Receiver<Vec<CertificateConfig>>) = channel();
let certs_path = cfg.proxy_certificates.clone().unwrap(); let certs_path = cfg.proxy_certificates.clone().unwrap();
thread::spawn(move || { thread::spawn(move || {
@@ -115,36 +114,3 @@ pub fn run() {
rx.recv().expect("Could not receive from channel."); rx.recv().expect("Could not receive from channel.");
info!("Signal received ! Exiting..."); info!("Signal received ! Exiting...");
} }
fn drop_priv(user: String, group: String, http_addr: String, tls_addr: Option<String>) {
thread::sleep(time::Duration::from_millis(10));
loop {
thread::sleep(time::Duration::from_millis(10));
if is_port_reachable(http_addr.clone()) {
break;
}
}
if let Some(tls_addr) = tls_addr {
loop {
thread::sleep(time::Duration::from_millis(10));
if is_port_reachable(tls_addr.clone()) {
break;
}
}
}
if std::fs::metadata("/proc/self").map(|m| m.uid()).unwrap_or(1) == 0 {
info!("Dropping ROOT privileges to: {}:{}", user, group);
if let Err(e) = PrivDrop::default().user(user).group(group).apply() {
panic!("Failed to drop privileges: {}", e);
}
}
// if let (Some(u), Some(g)) = (user, group) {
// if std::fs::metadata("/proc/self").map(|m| m.uid()).unwrap_or(1) == 0 {
// info!("Dropping ROOT privileges to: {}:{}", u, g);
// if let Err(e) = PrivDrop::default().user(u).group(g).apply() {
// panic!("Failed to drop privileges: {}", e);
// }
// }
// }
}