drop privileges for proxy thread

2026-06-03 09:04:07 +02:00 · 2025-11-10 23:04:16 +01:00 · 2025-11-10 23:04:16 +01:00 · b595282810
commit b595282810
parent d8d1bc17df
3 changed files with 54 additions and 0 deletions
--- a/src/proxy/mod.rs
+++ b/src/proxy/mod.rs
@ -11,9 +11,11 @@ use std::path::{Path, PathBuf};
 use std::sync::Arc;
 use std::sync::atomic::{AtomicU64, Ordering};
 use std::thread::spawn;
+use syscalls::{Sysno, syscall};
 use thiserror::Error;
 use tokio::runtime::Builder;
 use tracing::error;
+use uzers::{get_group_by_name, get_user_by_name};

 #[derive(Debug, Error)]
 pub enum ProxyError {
@ -60,6 +62,13 @@ impl ActiveProxy {
            (None, ns_handle)
        };

+        let nobody_uid = get_user_by_name("nobody")
+            .map(|user| user.uid())
+            .unwrap_or(65534);
+        let nobody_gid = get_group_by_name("nobody")
+            .map(|group| group.gid())
+            .unwrap_or(65534);
+
        let source = config.source.clone();
        spawn(move || {
            let rt = match Builder::new_current_thread().enable_io().build() {
@ -90,6 +99,16 @@ impl ActiveProxy {
                    error!(%error, "Failed to join target network namespace for proxy");
                    return;
                }
+
+                // raw syscall since the libc `setuid`/`setgui` set it for the entire process
+                unsafe {
+                    if let Err(error) = syscall!(Sysno::setgid, nobody_gid)
+                        .and_then(|_| syscall!(Sysno::setuid, nobody_uid))
+                    {
+                        error!(%error, "Failed drop privileges for proxy thread");
+                    }
+                }
+
                proxy.run(destination, abort_reg, run_stats).await;
            });
        });