rgw/beast: drop privileges after binding ports

Fixes: http://tracker.ceph.com/issues/36041
Signed-off-by: Paul Emmerich <paul.emmerich@croit.io>

diff --git a/src/rgw/rgw_asio_frontend.cc b/src/rgw/rgw_asio_frontend.cc
index 23a578c472c2287e84c5e79ab1d9c05becbf3d02..5b51cf927048eb8972789ae2cce62ed88d427ef8 100644 (file)
--- a/src/rgw/rgw_asio_frontend.cc
+++ b/src/rgw/rgw_asio_frontend.cc
@@ -10,6 +10,7 @@
 #include <boost/intrusive/list.hpp>
 
 #include "common/async/shared_mutex.h"
+#include "common/errno.h"
 
 #include "rgw_asio_client.h"
 #include "rgw_asio_frontend.h"
@@ -293,6 +294,29 @@ tcp::endpoint parse_endpoint(boost::asio::string_view input,
   return endpoint;
 }
 
+static int drop_privileges(CephContext *ctx)
+{
+  uid_t uid = ctx->get_set_uid();
+  gid_t gid = ctx->get_set_gid();
+  std::string uid_string = ctx->get_set_uid_string();
+  std::string gid_string = ctx->get_set_gid_string();
+  if (gid && setgid(gid) != 0) {
+    int err = errno;
+    ldout(ctx, -1) << "unable to setgid " << gid << ": " << cpp_strerror(err) << dendl;
+    return -err;
+  }
+  if (uid && setuid(uid) != 0) {
+    int err = errno;
+    ldout(ctx, -1) << "unable to setuid " << uid << ": " << cpp_strerror(err) << dendl;
+    return -err;
+  }
+  if (uid && gid) {
+    ldout(ctx, 0) << "set uid:gid to " << uid << ":" << gid
+                  << " (" << uid_string << ":" << gid_string << ")" << dendl;
+  }
+  return 0;
+}
+
 int AsioFrontend::init()
 {
   boost::system::error_code ec;
@@ -350,7 +374,7 @@ int AsioFrontend::init()
 
     ldout(ctx(), 4) << "frontend listening on " << l.endpoint << dendl;
   }
-  return 0;
+  return drop_privileges(ctx());
 }
 
 #ifdef WITH_RADOSGW_BEAST_OPENSSL

diff --git a/src/rgw/rgw_main.cc b/src/rgw/rgw_main.cc
index 3ac76c47dadb1c38987739b068a268745bfd72ca..8a7ad723a8db84f0e1a2fad08c77c27a81a56af6 100644 (file)
--- a/src/rgw/rgw_main.cc
+++ b/src/rgw/rgw_main.cc
@@ -206,16 +206,16 @@ int main(int argc, const char **argv)
   for (list<string>::iterator iter = frontends.begin(); iter != frontends.end(); ++iter) {
     string& f = *iter;
 
-    if (f.find("civetweb") != string::npos) {
-      // If civetweb is configured as a frontend, prevent global_init() from
+    if (f.find("civetweb") != string::npos || f.find("beast") != string::npos) {
+      // If civetweb or beast is configured as a frontend, prevent global_init() from
       // dropping permissions by setting the appropriate flag.
       flags |= CINIT_FLAG_DEFER_DROP_PRIVILEGES;
       if (f.find("port") != string::npos) {
         // check for the most common ws problems
         if ((f.find("port=") == string::npos) ||
             (f.find("port= ") != string::npos)) {
-          derr << "WARNING: civetweb frontend config found unexpected spacing around 'port' "
-               << "(ensure civetweb port parameter has the form 'port=80' with no spaces "
+          derr << "WARNING: radosgw frontend config found unexpected spacing around 'port' "
+               << "(ensure frontend port parameter has the form 'port=80' with no spaces "
                << "before or after '=')" << dendl;
         }
       }