rgw/beast: drop privileges after binding ports

Fixes: http://tracker.ceph.com/issues/36041
Signed-off-by: Paul Emmerich <paul.emmerich@croit.io>
(cherry picked from commit 6489566e867cee81a753b246913b61815819d9b3)

 Conflicts:
	src/rgw/rgw_asio_frontend.cc

diff --git a/src/rgw/rgw_asio_frontend.cc b/src/rgw/rgw_asio_frontend.cc
index 66ed0ed708449ed2c6ea14b87f50f9f957a6aa63..db0ef66ddcf15871d22d8266603fd108af834b5c 100644 (file)
--- a/src/rgw/rgw_asio_frontend.cc
+++ b/src/rgw/rgw_asio_frontend.cc
@@ -9,6 +9,8 @@
 
 #include <boost/asio.hpp>
 
+#include "common/errno.h"
+
 #include "rgw_asio_client.h"
 #include "rgw_asio_frontend.h"
 
@@ -257,6 +259,29 @@ tcp::endpoint parse_endpoint(BOOST_ASIO_STRING_VIEW_PARAM input,
   return endpoint;
 }
 
+static int drop_privileges(CephContext *ctx)
+{
+  uid_t uid = ctx->get_set_uid();
+  gid_t gid = ctx->get_set_gid();
+  std::string uid_string = ctx->get_set_uid_string();
+  std::string gid_string = ctx->get_set_gid_string();
+  if (gid && setgid(gid) != 0) {
+    int err = errno;
+    ldout(ctx, -1) << "unable to setgid " << gid << ": " << cpp_strerror(err) << dendl;
+    return -err;
+  }
+  if (uid && setuid(uid) != 0) {
+    int err = errno;
+    ldout(ctx, -1) << "unable to setuid " << uid << ": " << cpp_strerror(err) << dendl;
+    return -err;
+  }
+  if (uid && gid) {
+    ldout(ctx, 0) << "set uid:gid to " << uid << ":" << gid
+                  << " (" << uid_string << ":" << gid_string << ")" << dendl;
+  }
+  return 0;
+}
+
 int AsioFrontend::init()
 {
   boost::system::error_code ec;
@@ -307,7 +332,7 @@ int AsioFrontend::init()
 
     ldout(ctx(), 4) << "frontend listening on " << l.endpoint << dendl;
   }
-  return 0;
+  return drop_privileges(ctx());
 }
 
 void AsioFrontend::accept(Listener& l, boost::system::error_code ec)

diff --git a/src/rgw/rgw_main.cc b/src/rgw/rgw_main.cc
index 8f4b6a917b025b0878a4a25107260becd08db4df..c66f4a928f7feb10eb606bebcb1b9dac0c739b1f 100644 (file)
--- a/src/rgw/rgw_main.cc
+++ b/src/rgw/rgw_main.cc
@@ -220,16 +220,16 @@ int main(int argc, const char **argv)
   for (list<string>::iterator iter = frontends.begin(); iter != frontends.end(); ++iter) {
     string& f = *iter;
 
-    if (f.find("civetweb") != string::npos) {
-      // If civetweb is configured as a frontend, prevent global_init() from
+    if (f.find("civetweb") != string::npos || f.find("beast") != string::npos) {
+      // If civetweb or beast is configured as a frontend, prevent global_init() from
       // dropping permissions by setting the appropriate flag.
       flags |= CINIT_FLAG_DEFER_DROP_PRIVILEGES;
       if (f.find("port") != string::npos) {
         // check for the most common ws problems
         if ((f.find("port=") == string::npos) ||
             (f.find("port= ") != string::npos)) {
-          derr << "WARNING: civetweb frontend config found unexpected spacing around 'port' "
-               << "(ensure civetweb port parameter has the form 'port=80' with no spaces "
+          derr << "WARNING: radosgw frontend config found unexpected spacing around 'port' "
+               << "(ensure frontend port parameter has the form 'port=80' with no spaces "
                << "before or after '=')" << dendl;
         }
       }