David
--
David Roundy
Chroot/setuid work at the process level not the thread level. Even if it were possible to alter the effective uid for a thread, the runtime model of mapping n goroutines to m threads would make it impossible to lock a certain goroutine to a thread with reduced privs.
Happy to be proven wrong, why don't you code up an example and give it a try?
Cheers
Dave
Sent from my iPhone
http://homepage.ntlworld.com/jonathan.deboynepollard/FGA/linux-thread-problems.html
"The kernel still lacks the ability to share several resources between tasks
that, according to the POSIX threading model, must be shared by all threads
within a single process. So there are still, even as of 2010 and kernel version
2.6.33, problems with threads on Linux. Quite a lot of necessary changes to
the kernel still remain outstanding."
In Linux, setuid affects only the thread that happened to be executing
the system call.
The remaining ones are unaffected.
Jacek
Sadly, yes.
Setuid problem aside, if you chroot you will quickly notice loss of many
common services. Consider how are DNS queries to be made in absence
of /etc/resolv.conf? Moreover, crypto/rand package relies on /dev/urandom,
crypto/tls on /etc/ssl, and so on.
It's possible to engineer solutions to these problems. The OpenBSD project
has over the years introduced chroot, privilege drop, and privilege separation
to many system tools and services.
Sadly, doing that in Go in a way that is portable across the UNIX land
is made impossible by that Linux threading issue.
Currently, the easiest way of getting some safety benefit with minimum hassle
is to sudo -u user a program that listens on high ports only.
The whole point is that on Linux it's impossible.
> Overall, I need a predictable behavior. Current behavior, where one
> gorutine sometime works with one user privileges and sometimes with
> other isn't acceptable.
Sure. Report the problem on the right forum: http://lkml.org
It has nothing to do with Go.
> Both chroot and setuid are defined to take effect at process level.
> However, the setuid situation in the dominant UNIX-like system is laughable.
>
> http://homepage.ntlworld.com/jonathan.deboynepollard/FGA/linux-thread-problems.html
This part is about LinuxThreads. It's fixed in NPTL. The Go run-time
just doesn't use the proper flags when calling clone(), I guess.
No, according to that article it's not fixed but ignored. A call to kernel's
setuid still does not act as advertised. Instead, it's suggested that
users write setuid wrappers that simulate desired behavior with the
aid of signals.
you can always use http.ListenAndServe to listen on an
explicit port.
sorry, an extra comma meant that i misinterpreted your question
(as "Can I write a web application using http package (which works on port
80) without root privileges?")
it's probably worth filing an issue.
Personally, I wouldn't run a go program on port 80 and would instead
run lighttpd or nginx as a reverse proxy in front of it but this
shouldn't be a requirement. The setuid problem is separate from this,
as Albert points out, and it would be nice to resolve it.
1: http://linux.die.net/man/7/capabilities