Running Go http server on port 80 as non-root user

4,226 views
Skip to first unread message

Jared Bischof

unread,
Nov 15, 2013, 12:39:11 PM11/15/13
to golan...@googlegroups.com
I've seen various suggestions on how to run a Go http server as a non-root user including, running on a port other than 80 and using a proxy in front of the Go app, running as root and then using setuid or chown to change to another user or using setcap.  Currently I'm leaning towards using setcap but I'm still wondering if there's a better way or a conventional way of doing this.  Oh, and I should mention my server is multi-threaded.

Jared Bischof

unread,
Nov 15, 2013, 1:46:12 PM11/15/13
to golan...@googlegroups.com
Let me correct, I meant to say chrootuid, not chown.

There was a previous post and discussion about it at the link below, but it was in 2011 and I was wondering if anything had changed or if there was a Go standard way for doing this.

https://groups.google.com/forum/#!topic/golang-nuts/BZWXqv3YSg4

Thanks,
Jared

Jared Bischof

unread,
Nov 15, 2013, 2:09:03 PM11/15/13
to golan...@googlegroups.com
It appears (on my system at least), that the code previously posted under this issue (http://code.google.com/p/go/issues/detail?id=1435) now works as desired.  Although, please note that I had to make a couple minor edits to the code to get it to run under go1.1.2.  I've attached the new code.  My question now is, does this just work on my system or do my results reflect an actual update to Go.  Contrary to the output the original poster received in the issue, my output looks like this:

go run test.go 501 20
gorutine 1: uid=0 euid=0 gid=0 egid=0
gorutine 2: uid=0 euid=0 gid=0 egid=0
gorutine 3: uid=0 euid=0 gid=0 egid=0
gorutine 4: uid=0 euid=0 gid=0 egid=0
gorutine 5: uid=0 euid=0 gid=0 egid=0
gorutine 6: uid=0 euid=0 gid=0 egid=0
gorutine 7: uid=0 euid=0 gid=0 egid=0
gorutine 8: uid=0 euid=0 gid=0 egid=0
gorutine 9: uid=0 euid=0 gid=0 egid=0
gorutine 0: uid=501 euid=501 gid=20 egid=20
gorutine 1: uid=501 euid=501 gid=20 egid=20
gorutine 2: uid=501 euid=501 gid=20 egid=20
gorutine 3: uid=501 euid=501 gid=20 egid=20
gorutine 4: uid=501 euid=501 gid=20 egid=20
gorutine 5: uid=501 euid=501 gid=20 egid=20
gorutine 6: uid=501 euid=501 gid=20 egid=20
gorutine 7: uid=501 euid=501 gid=20 egid=20
gorutine 8: uid=501 euid=501 gid=20 egid=20
gorutine 9: uid=501 euid=501 gid=20 egid=20
gorutine 0: uid=501 euid=501 gid=20 egid=20
...
test.go

Dave Cheney

unread,
Nov 15, 2013, 5:52:13 PM11/15/13
to Jared Bischof, golang-nuts
Have you considered options using iptables to SNAT port 80 to some
higher port? This is a well known, but probably not quite as common
way of running a non privileged process with a privileged port.
> --
> You received this message because you are subscribed to the Google Groups
> "golang-nuts" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to golang-nuts...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.

Naoki INADA

unread,
Nov 16, 2013, 8:00:55 AM11/16/13
to golan...@googlegroups.com
FYI, I uses external tool to bind port and chuid() and exec go program.
Go program can receive fd and use it.


Circus [1] is good process manager having socket manager.

Naoki INADA

unread,
Nov 16, 2013, 8:02:43 AM11/16/13
to golan...@googlegroups.com
Circus [1] is good process manager having socket manager.


Jared Bischof

unread,
Nov 18, 2013, 4:30:43 PM11/18/13
to Naoki INADA, golan...@googlegroups.com
Interesting, thanks for the suggestion.  I ended up using setcap for now.  I tried using setuid and setgid in golang with goweb version 1 (old) but apparently in order to get the proper uid on new threads accessing my web server, this would have to be done within the goweb code itself.  I'm going to contact the goweb 2 developer to see if they've come up with a better way to integrate this into golang.

Thanks,
Jared


--
You received this message because you are subscribed to a topic in the Google Groups "golang-nuts" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/golang-nuts/IpfEDBVSE34/unsubscribe.
To unsubscribe from this group and all its topics, send an email to golang-nuts...@googlegroups.com.

Jared Bischof

unread,
Dec 13, 2013, 12:46:21 PM12/13/13
to golan...@googlegroups.com, Naoki INADA
Just an update, they use setcap as well.


On Monday, November 18, 2013 3:30:43 PM UTC-6, Jared Bischof wrote:
Interesting, thanks for the suggestion.  I ended up using setcap for now.  I tried using setuid and setgid in golang with goweb version 1 (old) but apparently in order to get the proper uid on new threads accessing my web server, this would have to be done within the goweb code itself.  I'm going to contact the goweb 2 developer to see if they've come up with a better way to integrate this into golang.

Thanks,
Jared
Reply all
Reply to author
Forward
0 new messages