diff options
| author | sid77 <sid77@slackware.it> | 2016-08-21 02:00:41 +0200 |
|---|---|---|
| committer | Marco Bonetti <marco@intercom.io> | 2016-08-26 10:04:41 +0100 |
| commit | 4028762f4a81a59ccc6d6e5662fa7e341fc74336 (patch) | |
| tree | 0124ed9d2cf5ef154c2d4923643d9bdcc1edb638 /cmd | |
| parent | bc966492134279c03458cab2ed2f2f51104ee283 (diff) | |
First attempt at dropping privileges
Diffstat (limited to 'cmd')
| -rw-r--r-- | cmd/cashierd/main.go | 52 |
1 files changed, 40 insertions, 12 deletions
diff --git a/cmd/cashierd/main.go b/cmd/cashierd/main.go index e82cbc7..e16d20b 100644 --- a/cmd/cashierd/main.go +++ b/cmd/cashierd/main.go @@ -2,6 +2,7 @@ package main import ( "crypto/rand" + "crypto/tls" "encoding/hex" "encoding/json" "errors" @@ -11,6 +12,7 @@ import ( "io" "io/ioutil" "log" + "net" "net/http" "os" "strings" @@ -32,6 +34,7 @@ import ( "github.com/nsheridan/cashier/server/static" "github.com/nsheridan/cashier/server/store" "github.com/nsheridan/cashier/server/templates" + "github.com/sid77/drop" ) var ( @@ -310,17 +313,50 @@ func certStore(config string) (store.CertStorer, error) { } func main() { + // Privileged section flag.Parse() config, err := readConfig(*cfg) if err != nil { log.Fatal(err) } + fs.Register(config.AWS) signer, err := signer.New(config.SSH) if err != nil { log.Fatal(err) } + logfile := os.Stderr + if config.Server.HTTPLogFile != "" { + logfile, err = os.OpenFile(config.Server.HTTPLogFile, os.O_WRONLY|os.O_APPEND|os.O_CREATE, 0640) + if err != nil { + log.Fatal(err) + } + } + + l, err := net.Listen("tcp", fmt.Sprintf("%s:%d", config.Server.Addr, config.Server.Port)) + if err != nil { + log.Fatal(err) + } + + tlsConfig := &tls.Config{} + if config.Server.UseTLS { + tlsConfig.Certificates = make([]tls.Certificate, 1) + tlsConfig.Certificates[0], err = tls.LoadX509KeyPair(config.Server.TLSCert, config.Server.TLSKey) + if err != nil { + log.Fatal(err) + } + l = tls.NewListener(l, tlsConfig) + } + + if config.Server.User != "" { + log.Print("Dropping privileges...") + if err = drop.DropPrivileges(config.Server.User); err != nil { + log.Fatal(err) + } + } + + // Unprivileged section var authprovider auth.Provider switch config.Auth.Provider { case "google": @@ -361,19 +397,11 @@ func main() { r.Methods("POST").Path("/admin/revoke").Handler(CSRF(appHandler{ctx, revokeCertHandler})) r.Methods("GET").Path("/admin/certs").Handler(CSRF(appHandler{ctx, listAllCertsHandler})) r.PathPrefix("/").Handler(http.FileServer(static.FS(false))) - logfile := os.Stderr - if config.Server.HTTPLogFile != "" { - logfile, err = os.OpenFile(config.Server.HTTPLogFile, os.O_WRONLY|os.O_APPEND|os.O_CREATE, 0660) - if err != nil { - log.Fatal(err) - } - } h := handlers.LoggingHandler(logfile, r) - fmt.Println("Starting server...") - l := fmt.Sprintf("%s:%d", config.Server.Addr, config.Server.Port) - if config.Server.UseTLS { - log.Fatal(http.ListenAndServeTLS(l, config.Server.TLSCert, config.Server.TLSKey, h)) + log.Print("Starting server...") + s := &http.Server{ + Handler: h, } - log.Fatal(http.ListenAndServe(l, h)) + log.Fatal(s.Serve(l)) } |