inetmock/inetmock
1
0
Fork 0
Code Issues 10 Pull requests 13 Projects 1 Releases Packages 1 Wiki Activity Actions

Add privilege dropping #35

New issue
Open
opened 2021-09-05 09:18:54 +00:00 by baez90 · 1 comment
baez90 commented 2021-09-05 09:18:54 +00:00 (Migrated from gitlab.com)
Copy link

Since Go 1.16 privilege dropping with unix.Setuid and unix.Setgid is finally possible.

A modified workflow could be:

  1. start the container as root
  2. chown the data directories
  3. open the sockets
  4. Switch identity and start listening

That way created files would be opened by a restricted user and opening more sockets would be impossible. On the other hand the setup of the data directories and Mlmulti-container environments would be easier to setup.

Same's true for scenarios running directly on a host which might come handy when not all files are owned by root

Since Go 1.16 privilege dropping with `unix.Setuid` and `unix.Setgid` is finally possible. A modified workflow could be: 1. start the container as root 2. `chown` the data directories 3. open the sockets 4. Switch identity and start listening That way created files would be opened by a restricted user and opening more sockets would be impossible. On the other hand the setup of the data directories and Mlmulti-container environments would be easier to setup. Same's true for scenarios running directly on a host which might come handy when not all files are owned by `root`
baez90 commented 2021-09-05 09:18:54 +00:00 (Migrated from gitlab.com)
Copy link

assigned to @baez90

assigned to @baez90
prskr added this to the Default project 2022-12-18 10:34:57 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
renovate/github.com-cilium-ebpf-0.x
renovate/docker.io-alpine-3.x
renovate/alpine-3.x
renovate/github.com-gopacket-gopacket-1.x
renovate/github.com-miekg-dns-1.x
renovate/docker.io-library-golang-1.x
renovate/github.com-google-go-containerregistry-0.x
renovate/github.com-vmihailenco-msgpack-v5-5.x
renovate/github.com-maxatome-go-testdeep-1.x
renovate/github.com-magefile-mage-1.x
renovate/github.com-jinzhu-copier-0.x
renovate/github.com-alecthomas-participle-v2-2.x
feature/build-on-arm64
renovate/github.com-google-ko-0.x
renovate/github.com-datadog-ebpf-manager-0.x
renovate/github.com-testcontainers-testcontainers-go-0.x
renovate/github.com-grpc-ecosystem-go-grpc-middleware-1.x
renovate/github.com-dgraph-io-badger-v4-4.x
renovate/google.golang.org-protobuf-1.x
feature/use-upstream-gopacket
upgrade-to-go-1.18
40-client-ui-to-monitor-handler-activiy-from-a-browser
go-1.18-generics
20-update-docs
v0.9.4
v0.9.3
v0.9.2
v0.9.1
v0.9.0
v0.8.0
v0.7.3
v0.7.2
v0.7.1
v0.7.0
v0.6.1
v0.6.0
v0.6.0-pre-2
v0.6.0-pre-1
v0.5.1
v0.5.0
v0.4.0
v0.3.0
v0.2.0
v0.1.0
v0.0.2
v0.0.1
Labels
Clear labels   
Doing

   
To Do

   
api::config

   
api::grpc

Issues that include an extension/change of the gRPC API

  
bug

   
component::imctl

Related to the imctl client component

  
component::inetmock

Related to the inetmock server component

  
documentation

   
duplicate

   
enhancement

   
good first issue

   
help wanted

   
invalid

   
new_protocol

Issues that in/directly require new protocols

  
pcap

   
protocols::dhcp

   
protocols::dns_mock

   
protocols::dns_over_https

Dns-over-HTTPS related issues

  
protocols::http_mock

   
protocols::http_proxy

   
protocols::ntp

   
protocols::smtp

Related to the SMTP protocol

  
question

   
wontfix
No labels
Doing
To Do
api::config
api::grpc
bug
component::imctl
component::inetmock
documentation
duplicate
enhancement
good first issue
help wanted
invalid
new_protocol
pcap
protocols::dhcp
protocols::dns_mock
protocols::dns_over_https
protocols::http_mock
protocols::http_proxy
protocols::ntp
protocols::smtp
question
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Default
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: inetmock/inetmock#35
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?