Merge pull request #450 from 6IRCNet/3.0

Drop root privledges

config.template.yaml

@@ -194,3 +194,11 @@ ffmpeg:
   enabled: false
 
 link-domain-blacklist: []
+
+# Drop root if started as root!!
+setuid:
+  enabled: false
+  group: 'users'
+  user: 'user'
+# how long to wait in ms before changing uid/gid
+  timeout: 15

lib/config.js

@@ -100,7 +100,13 @@ var defaults = {
     ffmpeg: {
         enabled: false
     },
-    "link-domain-blacklist": []
+    "link-domain-blacklist": [],
+    setuid: {
+        enabled: false,
+        "group": "users",
+        "user": "nobody",
+        "timeout": 15
+    },
 };
 
 /**

lib/server.js

@@ -108,6 +108,9 @@ var Server = function () {
 
     // background tasks init ----------------------------------------------
     require("./bgtask")(self);
+
+    // setuid
+    require("./setuid");
 };
 
 Server.prototype.getHTTPIP = function (req) {

lib/setuid.js

@@ -0,0 +1,15 @@
+var Config = require("./config");
+
+if (Config.get("setuid.enabled")) {
+    setTimeout(function() {
+        try {
+            console.log('Old User ID: ' + process.getuid() + ', Old Group ID: ' + process.getgid());
+            process.setgid(Config.get("setuid.group"));
+            process.setuid(Config.get("setuid.user"));
+            console.log('New User ID: ' + process.getuid() + ', New Group ID: ' + process.getgid());
+        } catch (err) {
+            console.log('Cowardly refusing to keep the process alive as root.');
+            process.exit(1);
+        }
+    }, (Config.get("setuid.timeout")));
+};