rgw: instruct civetweb to drop permissions

Get uid set in g_ceph_context and pass to civetweb where setuid()/setgid()
will be invoked. This Allows for starting civetweb under privileged port
numbers.

Fixes: #13600
Signed-off-by: Karol Mroz <kmroz@suse.com>

diff --git a/src/rgw/rgw_civetweb_frontend.cc b/src/rgw/rgw_civetweb_frontend.cc
index e5c1b18d0cfac96c6555723db0b3cb680560b6d4..557bb5b0f3e9ac8fe2aafe6de731683ef37837c2 100644 (file)
--- a/src/rgw/rgw_civetweb_frontend.cc
+++ b/src/rgw/rgw_civetweb_frontend.cc
@@ -43,6 +43,14 @@ int RGWMongooseFrontend::run() {
   set_conf_default(conf_map, "num_threads", thread_pool_buf);
   set_conf_default(conf_map, "decode_url", "no");
 
+  // Set run_as_user. This will cause civetweb to invoke setuid() and setgid()
+  // based on pw_uid and pw_gid obtained from pw_name.
+  string uid_string = g_ceph_context->get_set_uid_string();
+  if (!uid_string.empty()) {
+    conf_map.erase("run_as_user");
+    conf_map["run_as_user"] = uid_string;
+  }
+
   const char *options[conf_map.size() * 2 + 1];
   int i = 0;
   for (map<string, string>::iterator iter = conf_map.begin();