Merge pull request #450 from 6IRCNet/3.0

Drop root privledges
2015-02-24 10:34:00 -06:00 · 2015-02-24 10:34:00 -06:00 · f66b0993eb
parent 420e77963b c2a00420f2
commit f66b0993eb
4 changed files with 33 additions and 1 deletions
--- a/config.template.yaml
+++ b/config.template.yaml
@ -194,3 +194,11 @@ ffmpeg:
  enabled: false

 link-domain-blacklist: []
+
+# Drop root if started as root!!
+setuid:
+  enabled: false
+  group: 'users'
+  user: 'user'
+# how long to wait in ms before changing uid/gid
+  timeout: 15
--- a/lib/config.js
+++ b/lib/config.js
@ -100,7 +100,13 @@ var defaults = {
    ffmpeg: {
        enabled: false
    },
-    "link-domain-blacklist": []
+    "link-domain-blacklist": [],
+    setuid: {
+        enabled: false,
+        "group": "users",
+        "user": "nobody",
+        "timeout": 15
+    },
 };

 /**
--- a/lib/server.js
+++ b/lib/server.js
@ -108,6 +108,9 @@ var Server = function () {

    // background tasks init ----------------------------------------------
    require("./bgtask")(self);
+
+    // setuid
+    require("./setuid");
 };

 Server.prototype.getHTTPIP = function (req) {
--- a/lib/setuid.js
+++ b/lib/setuid.js
@ -0,0 +1,15 @@
+var Config = require("./config");
+
+if (Config.get("setuid.enabled")) {
+    setTimeout(function() {
+        try {
+            console.log('Old User ID: ' + process.getuid() + ', Old Group ID: ' + process.getgid());
+            process.setgid(Config.get("setuid.group"));
+            process.setuid(Config.get("setuid.user"));
+            console.log('New User ID: ' + process.getuid() + ', New Group ID: ' + process.getgid());
+        } catch (err) {
+            console.log('Cowardly refusing to keep the process alive as root.');
+            process.exit(1);
+        }
+    }, (Config.get("setuid.timeout")));
+};