From: Stefan Sperling <stsp@stsp.name>
Subject: more privdrop in -portable gotd
To: gameoftrees@openbsd.org
Date: Sat, 13 Apr 2024 11:41:02 +0200

I do not see a reason for gotd components other than the main process
to keep running as root in -portable:

  auth (reads the user database)
  session_read/write (should use the same level of priv as repo_read/write)
  notify (sends e-mail or http requests)

It seems the automated gotd tests are not yet enabled in -portable.
Diff works for me in simple manual testing.
I have not tested notifications but I don't see why they would break.

OK?

diff /home/stsp/src/got-portable
commit - 3cb20d616db20a105f3f1744eb680e108c9521dc
path + /home/stsp/src/got-portable
blob - 8fdfcdc277fb8e76fcf0673b8277273ff4632862
file + gotd/gotd.c
--- gotd/gotd.c
+++ gotd/gotd.c
@@ -2253,6 +2253,8 @@ main(int argc, char **argv)
 		 */
 		apply_unveil_none();
 
+		drop_privs(pw);
+
 		auth_main(title, &gotd.repos, repo_path);
 		/* NOTREACHED */
 		break;
@@ -2275,6 +2277,9 @@ main(int argc, char **argv)
 			if (repo == NULL)
 				fatalx("no repository for path %s", repo_path);
 		}
+
+		drop_privs(pw);
+
 		if (proc_id == PROC_SESSION_READ)
 			session_read_main(title, repo_path, pack_fds, temp_fds,
 			    &gotd.request_timeout, repo);
@@ -2353,6 +2358,8 @@ main(int argc, char **argv)
 		 */
 		unveil_notification_helpers();
 
+		drop_privs(pw);
+
 		notify_main(title, &gotd.repos, default_sender);
 		/* NOTREACHED */
 		exit(0);