aquatic_ws: privilege dropping; cli_helpers: show error context

2026-03-31 17:55:36 +00:00 · 2020-05-23 16:59:23 +02:00 · 2020-05-23 16:59:23 +02:00 · f3bdb6bc2a
commit f3bdb6bc2a
parent a596ee155a
6 changed files with 21 additions and 9 deletions
--- a/aquatic_ws/Cargo.toml
+++ b/aquatic_ws/Cargo.toml
@ -27,6 +27,7 @@ mio = { version = "0.7", features = ["tcp", "os-poll", "os-util"] }
 native-tls = "0.2"
 net2 = "0.2"
 parking_lot = "0.10"
+privdrop = "0.3"
 rand = { version = "0.7", features = ["small_rng"] }
 serde = { version = "1", features = ["derive"] }
 serde_json = "1"
--- a/aquatic_ws/src/lib/config.rs
+++ b/aquatic_ws/src/lib/config.rs
@ -13,7 +13,7 @@ pub struct Config {
    pub network: NetworkConfig,
    pub handlers: HandlerConfig,
    pub cleaning: CleaningConfig,
-    // pub privileges: PrivilegeConfig,
+    pub privileges: PrivilegeConfig,
 }


@ -61,7 +61,6 @@ pub struct CleaningConfig {
 }


-// FIXME: implement
 #[derive(Clone, Debug, Serialize, Deserialize)]
 #[serde(default)]
 pub struct PrivilegeConfig {
@ -81,7 +80,7 @@ impl Default for Config {
            network: NetworkConfig::default(),
            handlers: HandlerConfig::default(),
            cleaning: CleaningConfig::default(),
-            // privileges: PrivilegeConfig::default(),
+            privileges: PrivilegeConfig::default(),
        }
    }
 }
--- a/aquatic_ws/src/lib/lib.rs
+++ b/aquatic_ws/src/lib/lib.rs
@ -2,8 +2,11 @@ use std::time::Duration;
 use std::fs::File;
 use std::io::Read;
 use std::sync::Arc;
+
+use anyhow::Context;
 use native_tls::{Identity, TlsAcceptor};
 use parking_lot::Mutex;
+use privdrop::PrivDrop;

 pub mod common;
 pub mod config;
@ -58,7 +61,8 @@ pub fn run(config: Config) -> anyhow::Result<()> {
    }

    // Wait for socket worker statuses. On error from any, quit program.
-    // On success from all, continue program.
+    // On success from all, drop privileges if corresponding setting is set
+    // and continue program.
    loop {
        ::std::thread::sleep(::std::time::Duration::from_millis(10));

@ -73,6 +77,14 @@ pub fn run(config: Config) -> anyhow::Result<()> {
            }

            if statuses.iter().all(Option::is_some){
+                if config.privileges.drop_privileges {
+                    PrivDrop::default()
+                        .chroot(config.privileges.chroot_path.clone())
+                        .user(config.privileges.user.clone())
+                        .apply()
+                        .context("Couldn't drop root privileges")?;
+                }
+
                break
            }
        }