Golang删除权限(v1.7) [英] Golang dropping privileges (v1.7)
问题描述
我想通过golang创建一个自定义的Web服务器.它需要root才能绑定到端口80.但是我想尽快扎根. syscall.SetUid()根据.
我总是可以通过iptables将端口80重新路由到其他地址,但这会打开任何非root进程来构成我的Web服务器-我不希望这样做.
如何为我的应用程序放弃特权(或彻底解决此问题).
我会按照@JimB的建议进行操作.
另一方面,在Linux上还有另一个技巧:您可以使用 os/exec.Command()来执行/proc/self/exe ,同时告诉它在生成的 os/exec.Cmd 实例的 SysProcAttr.Credential 字段中使用备用凭据.
请参见 go doc os/exec.Cmd , go doc syscall.SysProcAttr 和 go doc syscall.Credential .
确保在使程序重新执行自身时,需要确保产生的程序的标准I/O流与其父程序的标准I/O流相连,并且所有必要的打开文件也都将被继承./p>
另一个值得一提的替代方法是根本不尝试绑定到端口80并在其上悬挂适当的Web服务器,然后将基于主机名的虚拟主机或特定URL路径前缀(或多个前缀)反向代理到您的Go进程在任何TCP或Unix套接字上侦听.Apache(至少为2.4)和Nginx都可以轻松做到这一点.
I want to make a custom webserver via golang.
It needs root to bind to port 80.
However I want to drop root as soon as possible.
syscall.SetUid() returns "Not supported" as per ticket #1435.
I could always reroute port 80 to something else via iptables, however this opens up any non-root process to pose as my webserver - which I'd prefer not to be possible.
How do I drop privileges for my application (or alternatively solve this cleanly).
I'd do what @JimB suggested.
On the other hand, on Linux there's another trick: you can use os/exec.Command() to execute /proc/self/exe while telling it to use alternative credentials in the SysProcAttr.Credential field of the os/exec.Cmd instance it generates.
See go doc os/exec.Cmd, go doc syscall.SysProcAttr and go doc syscall.Credential.
Make sure that when you make your program re-execute itself, you need to make sure the spawned one has its standard I/O streams connected to those of its parent, and all the necessary opened files are inherited as well.
Another alternatve worth mentioning is to not attempt to bind to port 80 at all and have a proper web server hanging there, and then reverse-proxy either a hostname-based virtual host or a particular URL path prefix (or prefixes) to your Go process listening on any TCP or Unix socket. Both Apache (2.4 at least) and Nginx can do that easily.
这篇关于Golang删除权限(v1.7)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
