Dropping Privileges in Golang (v1.7)
In Go, it is often desirable to execute a process with root privileges, bind to a port, and then drop privileges to a non-root user. However, due to limitations in Go v1.7, direct use of syscall.SetUid() is not supported.
To achieve this, there are several approaches to consider:
iptables Redirection:
Redesigning ports via iptables is one option. This method involves rerouting another port to port 80. However, this approach exposes security concerns, as any non-root process could potentially pose as the webserver.
Alternative Method:
A more secure approach utilizes Go's native capabilities. Here's a step-by-step guide:
This approach provides granularity in privilege management. The following code snippet demonstrates its implementation:
package main
import (
"fmt"
"io"
"log"
"net"
"golang.org/x/sys/unix"
)
func main() {
listener, err := net.Listen("tcp", "127.0.0.1:80")
if err != nil {
log.Fatal(err)
}
for {
conn, err := listener.Accept()
if err != nil {
log.Fatal(err)
}
uid := unix.Getuid()
if uid == 0 {
fmt.Fprintf(conn, "Running as root, downgrading to non-root user")
// Mock retrieving desired user and UID
desiredUser := "www-data"
uid = 33 // Example non-root UID
if err := unix.Setuid(uid); err != nil {
log.Fatal(err)
}
fmt.Fprintf(conn, "Successfully dropped privileges to user %s\n", desiredUser)
}
fmt.Fprintf(conn, "Hello, world!\n")
// Serve requests
io.Copy(conn, conn)
// Close the connection
conn.Close()
}
}By following these steps and leveraging Go's built-in capabilities, it is possible to securely drop privileges and execute the desired application with non-root permissions.
The above is the detailed content of How Can I Securely Drop Privileges After Binding to a Port in Go (v1.7)?. For more information, please follow other related articles on the PHP Chinese website!
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
