aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKim Alvefur <zash@zash.se>2020-08-24 19:48:47 +0200
committerKim Alvefur <zash@zash.se>2020-08-24 19:48:47 +0200
commit14826181f338168d41d3e85bce80f5132a9532ba (patch)
treec9e769003bf1cfaab3986e9e6fde072bbf0daf7d
parentd8b0ab9cd04e6198e52f8b0182e3cef09eb82a12 (diff)
downloadprosody-14826181f338168d41d3e85bce80f5132a9532ba.tar.gz
prosody-14826181f338168d41d3e85bce80f5132a9532ba.zip
mod_posix: Remove ancient undocumented user switching
User switching has been done by prosodyctl or init scripts for a very long time now, so this is not needed. Using this would not have worked with module reloading (e.g. to reload certificates) since ports are closed and re-bound, which would then not be allowed. Today there exists better ways to grant low ports, i.e. capabilities(7) <Zash> Why do we have this? <MattJ> Remove it
-rw-r--r--plugins/mod_posix.lua35
1 files changed, 4 insertions, 31 deletions
diff --git a/plugins/mod_posix.lua b/plugins/mod_posix.lua
index 5177aaa5..0a658009 100644
--- a/plugins/mod_posix.lua
+++ b/plugins/mod_posix.lua
@@ -30,39 +30,12 @@ module:set_global(); -- we're a global module
local umask = module:get_option_string("umask", "027");
pposix.umask(umask);
--- Allow switching away from root, some people like strange ports.
-module:hook("server-started", function ()
- local uid = module:get_option("setuid");
- local gid = module:get_option("setgid");
- if gid then
- local success, msg = pposix.setgid(gid);
- if success then
- module:log("debug", "Changed group to %s successfully.", gid);
- else
- module:log("error", "Failed to change group to %s. Error: %s", gid, msg);
- prosody.shutdown("Failed to change group to %s", gid);
- end
- end
- if uid then
- local success, msg = pposix.setuid(uid);
- if success then
- module:log("debug", "Changed user to %s successfully.", uid);
- else
- module:log("error", "Failed to change user to %s. Error: %s", uid, msg);
- prosody.shutdown("Failed to change user to %s", uid);
- end
- end
-end);
-
-- Don't even think about it!
if not prosody.start_time then -- server-starting
- local suid = module:get_option("setuid");
- if not suid or suid == 0 or suid == "root" then
- if pposix.getuid() == 0 and not module:get_option_boolean("run_as_root") then
- module:log("error", "Danger, Will Robinson! Prosody doesn't need to be run as root, so don't do it!");
- module:log("error", "For more information on running Prosody as root, see https://prosody.im/doc/root");
- prosody.shutdown("Refusing to run as root");
- end
+ if pposix.getuid() == 0 and not module:get_option_boolean("run_as_root") then
+ module:log("error", "Danger, Will Robinson! Prosody doesn't need to be run as root, so don't do it!");
+ module:log("error", "For more information on running Prosody as root, see https://prosody.im/doc/root");
+ prosody.shutdown("Refusing to run as root");
end
end