From: Stefan Sperling <stsp@stsp.name>
Subject: more gotwebd privdrop
To: gameoftrees@openbsd.org
Date: Mon, 13 Jan 2025 17:50:12 +0100

I noticed that gotwebd's parent process keeps running as root,
and has read access to all of /var/www.

This process doesn't do anything after the service workers have
started up so keeping these privileges seems unnecessary.

gotwebd starts up just fine with the patch below.
The only future problem I see is that if we ever implement re-exec
of already running workers, we'll need root again for that.

I'm not sure access to /etc/gotwebd.conf is still needed either but
I'm keeping that around in case we ever implement config reload.


M  gotwebd/gotwebd.c  |  5+  3-

1 file changed, 5 insertions(+), 3 deletions(-)

commit - 34b2702155c3b2f22d92d76d2f807e818ad5789f
commit + 8eac8f6a47fecc60722addf392ce5ebb760dd035
blob - aa4091b4467fdc10e4afd07ab963ee00e007b1b7
blob + d0f01c7bfe44841fb45f6bb21328f92c6127e5e0
--- gotwebd/gotwebd.c
+++ gotwebd/gotwebd.c
@@ -402,14 +402,16 @@ main(int argc, char **argv)
 	if (gotwebd_configure(env) == -1)
 		fatalx("configuration failed");
 
+	if (setgroups(1, &pw->pw_gid) == -1 ||
+	    setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1 ||
+	    setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) == -1)
+		fatal("failed to drop privileges");
+
 #ifdef PROFILE
 	if (unveil("gmon.out", "rwc") != 0)
 		err(1, "gmon.out");
 #endif
 
-	if (unveil(env->httpd_chroot, "r") == -1)
-		err(1, "unveil");
-
 	if (unveil(GOTWEBD_CONF, "r") == -1)
 		err(1, "unveil");