Pull request: all: support setgid, setuid on unix

Updates #2763. Squashed commit of the following: commit bd2077c6569b53ae341a58aa73de6063d7037e8e Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Fri Jun 4 16:25:17 2021 +0300 all: move rlimit_nofile, imp docs commit ba95d4ab7c722bf83300d626a598aface37539ad Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Fri Jun 4 15:12:23 2021 +0300 all: support setgid, setuid on unix
2025-05-01 13:41:07 +03:00 · 2021-06-04 16:35:34 +03:00 · 2021-06-04 16:35:34 +03:00 · 48c44c29ab
commit 48c44c29ab
parent 3b87478470
14 changed files with 283 additions and 31 deletions
--- a/internal/home/home.go
+++ b/internal/home/home.go
@ -119,7 +119,7 @@ func Main(clientBuildFS fs.FS) {
 		// support OpenBSD currently.  Either patch it to do so or make
 		// our own implementation of the service.System interface.
 		if runtime.GOOS == "openbsd" {
-			log.Fatal("service actions are not supported on openbsd")
+			log.Fatal("service actions are not supported on openbsd, see issue 3226")
 		}

 		handleServiceControlAction(args, clientBuildFS)
@ -183,6 +183,59 @@ func setupContext(args options) {
 	Context.mux = http.NewServeMux()
 }

+// logIfUnsupported logs a formatted warning if the error is one of the
+// unsupported errors and returns nil.  If err is nil, logIfUnsupported returns
+// nil.  Otherise, it returns err.
+func logIfUnsupported(msg string, err error) (outErr error) {
+	if unsupErr := (&aghos.UnsupportedError{}); errors.As(err, &unsupErr) {
+		log.Debug(msg, err)
+	} else if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// configureOS sets the OS-related configuration.
+func configureOS(conf *configuration) (err error) {
+	osConf := conf.OSConfig
+	if osConf == nil {
+		return nil
+	}
+
+	if osConf.Group != "" {
+		err = aghos.SetGroup(osConf.Group)
+		err = logIfUnsupported("warning: setting group", err)
+		if err != nil {
+			return fmt.Errorf("setting group: %w", err)
+		}
+
+		log.Info("group set to %s", osConf.Group)
+	}
+
+	if osConf.User != "" {
+		err = aghos.SetUser(osConf.User)
+		err = logIfUnsupported("warning: setting user", err)
+		if err != nil {
+			return fmt.Errorf("setting user: %w", err)
+		}
+
+		log.Info("user set to %s", osConf.User)
+	}
+
+	if osConf.RlimitNoFile != 0 {
+		err = aghos.SetRlimit(osConf.RlimitNoFile)
+		err = logIfUnsupported("warning: setting rlimit", err)
+		if err != nil {
+			return fmt.Errorf("setting rlimit: %w", err)
+		}
+
+		log.Info("rlimit_nofile set to %d", osConf.RlimitNoFile)
+	}
+
+	return nil
+}
+
 func setupConfig(args options) (err error) {
 	config.DHCP.WorkDir = Context.workDir
 	config.DHCP.HTTPRegister = httpRegister
@ -216,13 +269,6 @@ func setupConfig(args options) (err error) {
 	Context.clients.Init(config.Clients, Context.dhcpServer, Context.etcHosts)
 	config.Clients = nil

-	if config.RlimitNoFile != 0 {
-		err = aghos.SetRlimit(config.RlimitNoFile)
-		if err != nil && !errors.Is(err, aghos.ErrUnsupported) {
-			return fmt.Errorf("setting rlimit: %w", err)
-		}
-	}
-
 	// override bind host/port from the console
 	if args.bindHost != nil {
 		config.BindHost = args.bindHost
@ -309,6 +355,9 @@ func run(args options, clientBuildFS fs.FS) {

 	setupContext(args)

+	err = configureOS(&config)
+	fatalOnError(err)
+
 	// clients package uses filtering package's static data (filtering.BlockedSvcKnown()),
 	//  so we have to initialize filtering's static data first,
 	//  but also avoid relying on automatic Go init() function