mirror of
https://github.com/sadoyan/aralez.git
synced 2026-04-29 22:38:36 +08:00
Fix drop privileges, check root
This commit is contained in:
Ara Sadoyan
@@ -4,14 +4,19 @@ use crate::utils::tls::CertificateConfig;
|
||||
use dashmap::DashMap;
|
||||
use log::{error, info};
|
||||
use notify::{event::ModifyKind, Config, EventKind, RecommendedWatcher, RecursiveMode, Watcher};
|
||||
use port_check::is_port_reachable;
|
||||
use privdrop::PrivDrop;
|
||||
use sha2::{Digest, Sha256};
|
||||
use std::any::type_name;
|
||||
use std::collections::{HashMap, HashSet};
|
||||
use std::fmt::Write;
|
||||
use std::fs;
|
||||
use std::net::SocketAddr;
|
||||
use std::os::unix::fs::MetadataExt;
|
||||
use std::str::FromStr;
|
||||
use std::sync::atomic::AtomicUsize;
|
||||
use std::sync::mpsc::{channel, Sender};
|
||||
use std::time::{Duration, Instant};
|
||||
use std::{fs, process, thread, time};
|
||||
|
||||
#[allow(dead_code)]
|
||||
pub fn print_upstreams(upstreams: &UpstreamsDashMap) {
|
||||
@@ -221,3 +226,40 @@ pub fn watch_folder(path: String, sender: Sender<Vec<CertificateConfig>>) -> not
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
pub fn drop_priv(user: String, group: String, http_addr: String, tls_addr: Option<String>) {
|
||||
thread::sleep(time::Duration::from_millis(10));
|
||||
loop {
|
||||
thread::sleep(time::Duration::from_millis(10));
|
||||
if is_port_reachable(http_addr.clone()) {
|
||||
break;
|
||||
}
|
||||
}
|
||||
if let Some(tls_addr) = tls_addr {
|
||||
loop {
|
||||
thread::sleep(time::Duration::from_millis(10));
|
||||
if is_port_reachable(tls_addr.clone()) {
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
info!("Dropping ROOT privileges to: {}:{}", user, group);
|
||||
if let Err(e) = PrivDrop::default().user(user).group(group).apply() {
|
||||
error!("Failed to drop privileges: {}", e);
|
||||
process::exit(1)
|
||||
}
|
||||
}
|
||||
|
||||
pub fn check_priv(addr: String) {
|
||||
let port = SocketAddr::from_str(&addr).map(|sa| sa.port()).unwrap();
|
||||
match port < 1024 {
|
||||
true => {
|
||||
let meta = std::fs::metadata("/proc/self").map(|m| m.uid()).unwrap();
|
||||
if meta != 0 {
|
||||
error!("Running on privileged port requires to start as ROOT");
|
||||
process::exit(1)
|
||||
}
|
||||
}
|
||||
false => {}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -12,13 +12,9 @@ use pingora::tls::ssl::{SslAlert, SslRef};
|
||||
use pingora_core::listeners::tls::TlsSettings;
|
||||
use pingora_core::prelude::{background_service, Opt};
|
||||
use pingora_core::server::Server;
|
||||
use port_check::is_port_reachable;
|
||||
use privdrop::PrivDrop;
|
||||
use std::os::unix::fs::MetadataExt;
|
||||
use std::sync::mpsc::{channel, Receiver, Sender};
|
||||
use std::sync::Arc;
|
||||
use std::{thread, time};
|
||||
|
||||
use std::thread;
|
||||
pub fn run() {
|
||||
// default_provider().install_default().expect("Failed to install rustls crypto provider");
|
||||
let parameters = Some(Opt::parse_args()).unwrap();
|
||||
@@ -57,10 +53,13 @@ pub fn run() {
|
||||
let bg_srvc = background_service("bgsrvc", lb.clone());
|
||||
let mut proxy = pingora_proxy::http_proxy_service(&server.configuration, lb.clone());
|
||||
let bind_address_http = cfg.proxy_address_http.clone();
|
||||
|
||||
let bind_address_tls = cfg.proxy_address_tls.clone();
|
||||
|
||||
check_priv(bind_address_http.clone());
|
||||
|
||||
match bind_address_tls {
|
||||
Some(bind_address_tls) => {
|
||||
check_priv(bind_address_tls.clone());
|
||||
let (tx, rx): (Sender<Vec<CertificateConfig>>, Receiver<Vec<CertificateConfig>>) = channel();
|
||||
let certs_path = cfg.proxy_certificates.clone().unwrap();
|
||||
thread::spawn(move || {
|
||||
@@ -115,36 +114,3 @@ pub fn run() {
|
||||
rx.recv().expect("Could not receive from channel.");
|
||||
info!("Signal received ! Exiting...");
|
||||
}
|
||||
fn drop_priv(user: String, group: String, http_addr: String, tls_addr: Option<String>) {
|
||||
thread::sleep(time::Duration::from_millis(10));
|
||||
loop {
|
||||
thread::sleep(time::Duration::from_millis(10));
|
||||
if is_port_reachable(http_addr.clone()) {
|
||||
break;
|
||||
}
|
||||
}
|
||||
if let Some(tls_addr) = tls_addr {
|
||||
loop {
|
||||
thread::sleep(time::Duration::from_millis(10));
|
||||
if is_port_reachable(tls_addr.clone()) {
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if std::fs::metadata("/proc/self").map(|m| m.uid()).unwrap_or(1) == 0 {
|
||||
info!("Dropping ROOT privileges to: {}:{}", user, group);
|
||||
if let Err(e) = PrivDrop::default().user(user).group(group).apply() {
|
||||
panic!("Failed to drop privileges: {}", e);
|
||||
}
|
||||
}
|
||||
|
||||
// if let (Some(u), Some(g)) = (user, group) {
|
||||
// if std::fs::metadata("/proc/self").map(|m| m.uid()).unwrap_or(1) == 0 {
|
||||
// info!("Dropping ROOT privileges to: {}:{}", u, g);
|
||||
// if let Err(e) = PrivDrop::default().user(u).group(g).apply() {
|
||||
// panic!("Failed to drop privileges: {}", e);
|
||||
// }
|
||||
// }
|
||||
// }
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user