From df74ae14449f014a7889d164e2d49a10fa43abc8 Mon Sep 17 00:00:00 2001 From: Brian Bockelman Date: Mon, 23 Dec 2024 10:23:09 -0600 Subject: [PATCH] If needed, drop privileges to `pelican` after startup of server --- launchers/droppriv_unix.go | 56 +++++++++++++++++++++++++++++++++++ launchers/droppriv_windows.go | 27 +++++++++++++++++ launchers/launcher.go | 7 +++++ 3 files changed, 90 insertions(+) create mode 100644 launchers/droppriv_unix.go create mode 100644 launchers/droppriv_windows.go diff --git a/launchers/droppriv_unix.go b/launchers/droppriv_unix.go new file mode 100644 index 000000000..d256affc2 --- /dev/null +++ b/launchers/droppriv_unix.go @@ -0,0 +1,56 @@ +//go:build !windows + +/*************************************************************** + * + * Copyright (C) 2024, Pelican Project, Morgridge Institute for Research + * + * Licensed under the Apache License, Version 2.0 (the "License"); you + * may not use this file except in compliance with the License. You may + * obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + ***************************************************************/ + +package launchers + +import ( + "syscall" + + "github.com/pelicanplatform/pelican/config" + "github.com/pelicanplatform/pelican/param" + "github.com/pkg/errors" + log "github.com/sirupsen/logrus" +) + +func dropPriveleges() (err error) { + log.Info("Dropping privileges to user ", param.Server_UnprivilegedUser.GetString()) + var puser config.User + puser, err = config.GetPelicanUser() + if err != nil { + return + } + if puser.Uid == 0 { + err = errors.Errorf("unable to drop privileges to user (%s) with UID 0", puser.Username) + return + } + if puser.Gid == 0 { + err = errors.Errorf("unable to drop privileges to user (user %s, group %s) with GID 0", puser.Username, puser.Groupname) + return + } + if err = syscall.Setgid(puser.Gid); err != nil { + err = errors.Wrap(err, "failed to drop group privileges") + return + } + if err = syscall.Setuid(puser.Uid); err != nil { + err = errors.Wrap(err, "failed to drop user privileges") + return + } + return +} diff --git a/launchers/droppriv_windows.go b/launchers/droppriv_windows.go new file mode 100644 index 000000000..3a94b7d4d --- /dev/null +++ b/launchers/droppriv_windows.go @@ -0,0 +1,27 @@ +//go:build windows + +/*************************************************************** + * + * Copyright (C) 2024, Pelican Project, Morgridge Institute for Research + * + * Licensed under the Apache License, Version 2.0 (the "License"); you + * may not use this file except in compliance with the License. You may + * obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + ***************************************************************/ + +package launchers + +import "github.com/pkg/errors" + +func dropPriveleges() (err error) { + return errors.New("dropping privileges is not supported on Windows") +} diff --git a/launchers/launcher.go b/launchers/launcher.go index 3eef5342d..c2568bd6d 100644 --- a/launchers/launcher.go +++ b/launchers/launcher.go @@ -325,6 +325,13 @@ func LaunchModules(ctx context.Context, modules server_structs.ServerType) (serv } } + // Now that we've launched XRootD (which should drop their privileges to the xrootd user), we can drop our own + if config.IsRootExecution() && param.Server_DropPrivileges.GetBool() { + if err = dropPriveleges(); err != nil { + return + } + } + if modules.IsEnabled(server_structs.OriginType) || modules.IsEnabled(server_structs.CacheType) { log.Debug("Launching periodic advertise of origin/cache server to the director") if err = launcher_utils.LaunchPeriodicAdvertise(ctx, egrp, servers); err != nil {