diff --git a/lib/core/context.c b/lib/core/context.c index 0feb6a974..3ae596419 100644 --- a/lib/core/context.c +++ b/lib/core/context.c @@ -429,6 +429,10 @@ lwsl_info("context created\n"); context->username = info->username; context->groupname = info->groupname; + /* if he gave us names, set the uid / gid */ + if (lws_plat_drop_app_privileges(context, 0)) + goto bail; + #if defined(LWS_HAVE_SYS_CAPABILITY_H) && defined(LWS_HAVE_LIBCAP) memcpy(context->caps, info->caps, sizeof(context->caps)); context->count_caps = info->count_caps; @@ -440,7 +444,7 @@ lwsl_info("context created\n"); * listening, we don't want the power for anything else */ if (!lws_check_opt(info->options, LWS_SERVER_OPTION_EXPLICIT_VHOSTS)) - if (lws_plat_drop_app_privileges(context)) + if (lws_plat_drop_app_privileges(context, 1)) goto bail; #if defined(LWS_WITH_NETWORK) diff --git a/lib/core/libwebsockets.c b/lib/core/libwebsockets.c index 9791ae194..fe4922640 100644 --- a/lib/core/libwebsockets.c +++ b/lib/core/libwebsockets.c @@ -521,7 +521,7 @@ LWS_VISIBLE LWS_EXTERN int lws_finalize_startup(struct lws_context *context) { if (lws_check_opt(context->options, LWS_SERVER_OPTION_EXPLICIT_VHOSTS)) - if (lws_plat_drop_app_privileges(context)) + if (lws_plat_drop_app_privileges(context, 1)) return 1; return 0; diff --git a/lib/core/private.h b/lib/core/private.h index e7d9e4471..d108e18e6 100644 --- a/lib/core/private.h +++ b/lib/core/private.h @@ -591,7 +591,7 @@ LWS_EXTERN int lws_plat_init(struct lws_context *context, const struct lws_context_creation_info *info); LWS_EXTERN int -lws_plat_drop_app_privileges(struct lws_context *context); +lws_plat_drop_app_privileges(struct lws_context *context, int actually_drop); #if defined(LWS_WITH_UNIX_SOCK) int diff --git a/lib/plat/esp32/esp32-misc.c b/lib/plat/esp32/esp32-misc.c index 6d34c63e5..af8773257 100644 --- a/lib/plat/esp32/esp32-misc.c +++ b/lib/plat/esp32/esp32-misc.c @@ -58,7 +58,7 @@ LWS_VISIBLE void lwsl_emit_syslog(int level, const char *line) } int -lws_plat_drop_app_privileges(struct lws_context *context) +lws_plat_drop_app_privileges(struct lws_context *context, int actually_init) { return 0; } diff --git a/lib/plat/optee/lws-plat-optee.c b/lib/plat/optee/lws-plat-optee.c index 5760c7686..d12088199 100644 --- a/lib/plat/optee/lws-plat-optee.c +++ b/lib/plat/optee/lws-plat-optee.c @@ -108,7 +108,7 @@ lws_plat_set_nonblocking(int fd) } int -lws_plat_drop_app_privileges(struct lws_context *context) +lws_plat_drop_app_privileges(struct lws_context *context, int actually_init) { return 0; } diff --git a/lib/plat/unix/unix-caps.c b/lib/plat/unix/unix-caps.c index 2ae3a6302..3414e3075 100644 --- a/lib/plat/unix/unix-caps.c +++ b/lib/plat/unix/unix-caps.c @@ -83,7 +83,7 @@ lws_plat_user_colon_group_to_ids(const char *u_colon_g, uid_t *puid, gid_t *pgid } int -lws_plat_drop_app_privileges(struct lws_context *context) +lws_plat_drop_app_privileges(struct lws_context *context, int actually_drop) { struct passwd *p; struct group *g; @@ -97,8 +97,6 @@ lws_plat_drop_app_privileges(struct lws_context *context) lwsl_info("%s: group %s -> gid %u\n", __func__, context->groupname, g->gr_gid); context->gid = g->gr_gid; - if (setgid(g->gr_gid)) - lwsl_warn("setgid: %s\n", strerror(LWS_ERRNO)); } else { lwsl_err("%s: unknown groupname '%s'\n", __func__, context->groupname); @@ -125,6 +123,9 @@ lws_plat_drop_app_privileges(struct lws_context *context) } } + if (!actually_drop) + return 0; + /* if he gave us the gid or we have it from the groupname, set it */ if (context->gid && context->gid != -1) { diff --git a/lib/plat/windows/windows-init.c b/lib/plat/windows/windows-init.c index 1d42ad9d5..76b595272 100644 --- a/lib/plat/windows/windows-init.c +++ b/lib/plat/windows/windows-init.c @@ -25,7 +25,7 @@ #include "core/private.h" int -lws_plat_drop_app_privileges(struct lws_context *context) +lws_plat_drop_app_privileges(struct lws_context *context, int actually_set) { return 0; }