My bad ... I see too late that someone already filed an issue with the molly-brown project about this.
https://tildegit.org/solderpunk/molly-brown/issues/16 On Wed, 16 Dec 2020 at 00:49, Russtopia <rma...@gmail.com> wrote: > The experimental 'Project Gemini' [https://gemini.circumlunar.space/] has > a few servers written in Go, and one in particular [ > https://tildegit.org/solderpunk/molly-brown] makes this claim: > > It is very important to be aware that programs written in Go are unable to >> reliably change their UID once started, due to how goroutines are >> implemented on unix systems. As an unavoidable consequence of this, CGI >> processes started by Molly Brown are run as the same user as the server >> process. > > > Surely this is not true? This claim seems to suggest a big security issue > that I would hope can be refuted by Go experts -- perhaps the maintainers > of the molly-brown project could be guided to a solution so this > scary claim could be removed. > > I wanted to try out the above server but am hesitant to do so given the > above ... > > -R. > > > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/CAN4yCu8jcGfx0tuW7YL3itVh-k1YYxYTSRAaB_bCLdNBce_RpA%40mail.gmail.com.
