rgw/beast: drop privileges after binding ports

Fixes: http://tracker.ceph.com/issues/36041
Signed-off-by: Paul Emmerich <paul.emmerich@croit.io>
(cherry picked from commit 6489566e867cee81a753b246913b61815819d9b3)

 Conflicts:
	src/rgw/rgw_asio_frontend.cc

diff --git a/src/rgw/rgw_asio_frontend.cc b/src/rgw/rgw_asio_frontend.cc
index fcdfe25b0fc687ca9a9b6c8be738b26177765244..c079e0aa37f99e379233783d07b283c36fef749a 100644 (file)
--- a/src/rgw/rgw_asio_frontend.cc
+++ b/src/rgw/rgw_asio_frontend.cc
@@ -10,6 +10,8 @@
 #include <boost/asio.hpp>
 #include <boost/asio/spawn.hpp>
 
+#include "common/errno.h"
+
 #include "rgw_asio_client.h"
 #include "rgw_asio_frontend.h"
 
@@ -273,6 +275,29 @@ tcp::endpoint parse_endpoint(boost::asio::string_view input,
   return endpoint;
 }
 
+static int drop_privileges(CephContext *ctx)
+{
+  uid_t uid = ctx->get_set_uid();
+  gid_t gid = ctx->get_set_gid();
+  std::string uid_string = ctx->get_set_uid_string();
+  std::string gid_string = ctx->get_set_gid_string();
+  if (gid && setgid(gid) != 0) {
+    int err = errno;
+    ldout(ctx, -1) << "unable to setgid " << gid << ": " << cpp_strerror(err) << dendl;
+    return -err;
+  }
+  if (uid && setuid(uid) != 0) {
+    int err = errno;
+    ldout(ctx, -1) << "unable to setuid " << uid << ": " << cpp_strerror(err) << dendl;
+    return -err;
+  }
+  if (uid && gid) {
+    ldout(ctx, 0) << "set uid:gid to " << uid << ":" << gid
+                  << " (" << uid_string << ":" << gid_string << ")" << dendl;
+  }
+  return 0;
+}
+
 int AsioFrontend::init()
 {
   boost::system::error_code ec;
@@ -330,7 +355,7 @@ int AsioFrontend::init()
 
     ldout(ctx(), 4) << "frontend listening on " << l.endpoint << dendl;
   }
-  return 0;
+  return drop_privileges(ctx());
 }
 
 #ifdef WITH_RADOSGW_BEAST_OPENSSL

diff --git a/src/rgw/rgw_main.cc b/src/rgw/rgw_main.cc
index 7a32bb02772ef98e38684223c4059700da3ed4f6..16176329b1d72593226c5cdd208aadf0954f7dbc 100644 (file)
--- a/src/rgw/rgw_main.cc
+++ b/src/rgw/rgw_main.cc
@@ -209,16 +209,16 @@ int main(int argc, const char **argv)
   for (list<string>::iterator iter = frontends.begin(); iter != frontends.end(); ++iter) {
     string& f = *iter;
 
-    if (f.find("civetweb") != string::npos) {
-      // If civetweb is configured as a frontend, prevent global_init() from
+    if (f.find("civetweb") != string::npos || f.find("beast") != string::npos) {
+      // If civetweb or beast is configured as a frontend, prevent global_init() from
       // dropping permissions by setting the appropriate flag.
       flags |= CINIT_FLAG_DEFER_DROP_PRIVILEGES;
       if (f.find("port") != string::npos) {
         // check for the most common ws problems
         if ((f.find("port=") == string::npos) ||
             (f.find("port= ") != string::npos)) {
-          derr << "WARNING: civetweb frontend config found unexpected spacing around 'port' "
-               << "(ensure civetweb port parameter has the form 'port=80' with no spaces "
+          derr << "WARNING: radosgw frontend config found unexpected spacing around 'port' "
+               << "(ensure frontend port parameter has the form 'port=80' with no spaces "
                << "before or after '=')" << dendl;
         }
       }