From 6489566e867cee81a753b246913b61815819d9b3 Mon Sep 17 00:00:00 2001
From: Paul Emmerich <paul.emmerich@croit.io>
Date: Tue, 25 Sep 2018 14:25:55 +0000
Subject: [PATCH] rgw/beast: drop privileges after binding ports

Fixes: http://tracker.ceph.com/issues/36041

Signed-off-by: Paul Emmerich <paul.emmerich@croit.io>
---
 src/rgw/rgw_asio_frontend.cc | 26 +++++++++++++++++++++++++-
 src/rgw/rgw_main.cc          |  8 ++++----
 2 files changed, 29 insertions(+), 5 deletions(-)

diff --git a/src/rgw/rgw_asio_frontend.cc b/src/rgw/rgw_asio_frontend.cc
index 23a578c472c22..5b51cf927048e 100644
--- a/src/rgw/rgw_asio_frontend.cc
+++ b/src/rgw/rgw_asio_frontend.cc
@@ -10,6 +10,7 @@
 #include <boost/intrusive/list.hpp>
 
 #include "common/async/shared_mutex.h"
+#include "common/errno.h"
 
 #include "rgw_asio_client.h"
 #include "rgw_asio_frontend.h"
@@ -293,6 +294,29 @@ tcp::endpoint parse_endpoint(boost::asio::string_view input,
   return endpoint;
 }
 
+static int drop_privileges(CephContext *ctx)
+{
+  uid_t uid = ctx->get_set_uid();
+  gid_t gid = ctx->get_set_gid();
+  std::string uid_string = ctx->get_set_uid_string();
+  std::string gid_string = ctx->get_set_gid_string();
+  if (gid && setgid(gid) != 0) {
+    int err = errno;
+    ldout(ctx, -1) << "unable to setgid " << gid << ": " << cpp_strerror(err) << dendl;
+    return -err;
+  }
+  if (uid && setuid(uid) != 0) {
+    int err = errno;
+    ldout(ctx, -1) << "unable to setuid " << uid << ": " << cpp_strerror(err) << dendl;
+    return -err;
+  }
+  if (uid && gid) {
+    ldout(ctx, 0) << "set uid:gid to " << uid << ":" << gid
+                  << " (" << uid_string << ":" << gid_string << ")" << dendl;
+  }
+  return 0;
+}
+
 int AsioFrontend::init()
 {
   boost::system::error_code ec;
@@ -350,7 +374,7 @@ int AsioFrontend::init()
 
     ldout(ctx(), 4) << "frontend listening on " << l.endpoint << dendl;
   }
-  return 0;
+  return drop_privileges(ctx());
 }
 
 #ifdef WITH_RADOSGW_BEAST_OPENSSL
diff --git a/src/rgw/rgw_main.cc b/src/rgw/rgw_main.cc
index 3ac76c47dadb1..8a7ad723a8db8 100644
--- a/src/rgw/rgw_main.cc
+++ b/src/rgw/rgw_main.cc
@@ -206,16 +206,16 @@ int main(int argc, const char **argv)
   for (list<string>::iterator iter = frontends.begin(); iter != frontends.end(); ++iter) {
     string& f = *iter;
 
-    if (f.find("civetweb") != string::npos) {
-      // If civetweb is configured as a frontend, prevent global_init() from
+    if (f.find("civetweb") != string::npos || f.find("beast") != string::npos) {
+      // If civetweb or beast is configured as a frontend, prevent global_init() from
       // dropping permissions by setting the appropriate flag.
       flags |= CINIT_FLAG_DEFER_DROP_PRIVILEGES;
       if (f.find("port") != string::npos) {
         // check for the most common ws problems
         if ((f.find("port=") == string::npos) ||
             (f.find("port= ") != string::npos)) {
-          derr << "WARNING: civetweb frontend config found unexpected spacing around 'port' "
-               << "(ensure civetweb port parameter has the form 'port=80' with no spaces "
+          derr << "WARNING: radosgw frontend config found unexpected spacing around 'port' "
+               << "(ensure frontend port parameter has the form 'port=80' with no spaces "
                << "before or after '=')" << dendl;
         }
       }
-- 
2.39.5