mirror of
https://github.com/mjl-/mox.git
synced 2025-07-10 09:54:40 +03:00
open tls keys/certificate as root, pass fd's to the unprivileged child process
makes it easier to use tls keys/certs managed by other tools, with or without acme. the root process has access to open such files. the child process reads the key from the file descriptor, then closes the file. for issue #30 by inigoserna, thanks!
This commit is contained in:
11
serve.go
11
serve.go
@ -147,11 +147,12 @@ requested, other TLS certificates are requested on demand.
|
||||
mlog.SetConfig(mox.Conf.Log)
|
||||
|
||||
checkACMEHosts := os.Getuid() != 0
|
||||
mox.MustLoadConfig(checkACMEHosts)
|
||||
|
||||
log := mlog.New("serve")
|
||||
|
||||
if os.Getuid() == 0 {
|
||||
mox.MustLoadConfig(checkACMEHosts)
|
||||
|
||||
// No need to potentially start and keep multiple processes. As root, we just need
|
||||
// to start the child process.
|
||||
runtime.GOMAXPROCS(1)
|
||||
@ -160,6 +161,9 @@ requested, other TLS certificates are requested on demand.
|
||||
if os.Getenv("MOX_SOCKETS") != "" {
|
||||
log.Fatal("refusing to start as root with $MOX_SOCKETS set")
|
||||
}
|
||||
if os.Getenv("MOX_FILES") != "" {
|
||||
log.Fatal("refusing to start as root with $MOX_FILES set")
|
||||
}
|
||||
|
||||
if !mox.Conf.Static.NoFixPermissions {
|
||||
// Fix permissions now that we have privilege to do so. Useful for update of v0.0.1
|
||||
@ -178,7 +182,8 @@ requested, other TLS certificates are requested on demand.
|
||||
}
|
||||
} else {
|
||||
log.Print("starting as unprivileged user", mlog.Field("user", mox.Conf.Static.User), mlog.Field("uid", mox.Conf.Static.UID), mlog.Field("gid", mox.Conf.Static.GID), mlog.Field("pid", os.Getpid()))
|
||||
mox.RestorePassedSockets()
|
||||
mox.RestorePassedFiles()
|
||||
mox.MustLoadConfig(checkACMEHosts)
|
||||
}
|
||||
|
||||
syscall.Umask(syscall.Umask(007) | 007)
|
||||
@ -584,7 +589,7 @@ func start(mtastsdbRefresher, skipForkExec bool) error {
|
||||
mox.ForkExecUnprivileged()
|
||||
panic("cannot happen")
|
||||
} else {
|
||||
mox.CleanupPassedSockets()
|
||||
mox.CleanupPassedFiles()
|
||||
}
|
||||
}
|
||||
|
||||
|
Reference in New Issue
Block a user