diff options
| author | Kim Alvefur <zash@zash.se> | 2020-08-24 19:48:47 +0200 |
|---|---|---|
| committer | Kim Alvefur <zash@zash.se> | 2020-08-24 19:48:47 +0200 |
| commit | f25f4bb11a7e68ec997d360c71195e2941042f2a (patch) | |
| tree | c9e769003bf1cfaab3986e9e6fde072bbf0daf7d | |
| parent | 21ecc6ca399493eb88e75f2979d64a779cd34f50 (diff) | |
| download | prosody-f25f4bb11a7e68ec997d360c71195e2941042f2a.tar.gz prosody-f25f4bb11a7e68ec997d360c71195e2941042f2a.zip | |
mod_posix: Remove ancient undocumented user switching
User switching has been done by prosodyctl or init scripts for a very
long time now, so this is not needed.
Using this would not have worked with module reloading (e.g. to reload
certificates) since ports are closed and re-bound, which would then not
be allowed.
Today there exists better ways to grant low ports, i.e. capabilities(7)
<Zash> Why do we have this?
<MattJ> Remove it
| -rw-r--r-- | plugins/mod_posix.lua | 35 |
1 files changed, 4 insertions, 31 deletions
diff --git a/plugins/mod_posix.lua b/plugins/mod_posix.lua index 5177aaa5..0a658009 100644 --- a/plugins/mod_posix.lua +++ b/plugins/mod_posix.lua @@ -30,39 +30,12 @@ module:set_global(); -- we're a global module local umask = module:get_option_string("umask", "027"); pposix.umask(umask); --- Allow switching away from root, some people like strange ports. -module:hook("server-started", function () - local uid = module:get_option("setuid"); - local gid = module:get_option("setgid"); - if gid then - local success, msg = pposix.setgid(gid); - if success then - module:log("debug", "Changed group to %s successfully.", gid); - else - module:log("error", "Failed to change group to %s. Error: %s", gid, msg); - prosody.shutdown("Failed to change group to %s", gid); - end - end - if uid then - local success, msg = pposix.setuid(uid); - if success then - module:log("debug", "Changed user to %s successfully.", uid); - else - module:log("error", "Failed to change user to %s. Error: %s", uid, msg); - prosody.shutdown("Failed to change user to %s", uid); - end - end -end); - -- Don't even think about it! if not prosody.start_time then -- server-starting - local suid = module:get_option("setuid"); - if not suid or suid == 0 or suid == "root" then - if pposix.getuid() == 0 and not module:get_option_boolean("run_as_root") then - module:log("error", "Danger, Will Robinson! Prosody doesn't need to be run as root, so don't do it!"); - module:log("error", "For more information on running Prosody as root, see https://prosody.im/doc/root"); - prosody.shutdown("Refusing to run as root"); - end + if pposix.getuid() == 0 and not module:get_option_boolean("run_as_root") then + module:log("error", "Danger, Will Robinson! Prosody doesn't need to be run as root, so don't do it!"); + module:log("error", "For more information on running Prosody as root, see https://prosody.im/doc/root"); + prosody.shutdown("Refusing to run as root"); end end |