robin/netnsd
1
0
Fork 0
mirror of https://codeberg.org/icewind/netnsd.git synced 2026-06-03 17:14:06 +02:00
Code Issues Projects Releases Packages Wiki Activity

proxy: move permissions drop outside tokio rt

Browse source
This commit is contained in:
Robin Appelman 2025-12-03 02:10:01 +01:00
commit d48f61b4fa
1 changed files with 36 additions and 31 deletions
Download patch file Download diff file Expand all files Collapse all files

31
src/proxy/mod.rs
View file

@ -13,6 +13,7 @@ use std::net::SocketAddr;
use std::path::{Path, PathBuf};
use std::process::{Child, Command};
use std::thread::spawn;
use nix::errno::Errno;
use thiserror::Error;
use tokio::runtime::Builder;
use tokio::signal::ctrl_c;
@ -135,17 +136,6 @@ pub fn proxy(
))?)
};
let nobody_uid = Uid::from(
get_user_by_name("nobody")
.map(|user| user.uid())
.unwrap_or(65534),
);
let nobody_gid = Gid::from(
get_group_by_name("nobody")
.map(|group| group.gid())
.unwrap_or(65534),
);
let rt = match Builder::new_current_thread().enable_io().build() {
Ok(rt) => rt,
Err(error) => {
@ -154,7 +144,6 @@ pub fn proxy(
}
};
rt.block_on(async {
if let Some(listen_namespace) = listen_namespace
&& let Err(error) = setns(listen_namespace, CloneFlags::CLONE_NEWNET)
{
@ -175,10 +164,11 @@ pub fn proxy(
return Err(error.into());
}
if let Err(error) = setgid(nobody_gid).and_then(|_| setuid(nobody_uid)) {
if let Err(error) = drop_to_nobody() {
error!(%error, "Failed to drop privileges");
}
rt.block_on(async {
tokio::spawn(async move {
let _ = ctrl_c().await;
abort.abort();
@ -189,3 +179,18 @@ pub fn proxy(
Ok(())
})
}
fn drop_to_nobody() -> Result<(), Errno> {
let nobody_uid = Uid::from(
get_user_by_name("nobody")
.map(|user| user.uid())
.unwrap_or(65534),
);
let nobody_gid = Gid::from(
get_group_by_name("nobody")
.map(|group| group.gid())
.unwrap_or(65534),
);
setgid(nobody_gid).and_then(|_| setuid(nobody_uid))
}