From e3d8d65f16c9bef67281aff9e71d0daac20e9703 Mon Sep 17 00:00:00 2001
From: Karol Mroz <kmroz@suse.com>
Date: Tue, 8 Mar 2016 09:54:03 +0100
Subject: [PATCH] rgw: instruct civetweb to drop permissions

Get uid set in g_ceph_context and pass to civetweb where setuid()/setgid()
will be invoked. This Allows for starting civetweb under privileged port
numbers.

Fixes: #13600

Signed-off-by: Karol Mroz <kmroz@suse.com>
---
 src/rgw/rgw_civetweb_frontend.cc | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/rgw/rgw_civetweb_frontend.cc b/src/rgw/rgw_civetweb_frontend.cc
index e5c1b18d0cfac..557bb5b0f3e9a 100644
--- a/src/rgw/rgw_civetweb_frontend.cc
+++ b/src/rgw/rgw_civetweb_frontend.cc
@@ -43,6 +43,14 @@ int RGWMongooseFrontend::run() {
   set_conf_default(conf_map, "num_threads", thread_pool_buf);
   set_conf_default(conf_map, "decode_url", "no");
 
+  // Set run_as_user. This will cause civetweb to invoke setuid() and setgid()
+  // based on pw_uid and pw_gid obtained from pw_name.
+  string uid_string = g_ceph_context->get_set_uid_string();
+  if (!uid_string.empty()) {
+    conf_map.erase("run_as_user");
+    conf_map["run_as_user"] = uid_string;
+  }
+
   const char *options[conf_map.size() * 2 + 1];
   int i = 0;
   for (map<string, string>::iterator iter = conf_map.begin();
-- 
2.39.5