Even pre go1.16, while it's true that Setuid/Setgid don't work reliably in a multi-threaded program, I don't think the conclusions they draw are correct. You can still start CGI processes as a different user: https://golang.org/pkg/os/exec/#Cmd.SysProcAttr Also, while I'm not totally sure, I think before `main` starts, a Go process is effectively single-threaded, so if called from `init` they might be safe? Lastly, there are of course workarounds you can do with helper-processes to drop privileges.
It certainly is possible to run a subprocess as a different user. It might not be terribly convenient and you definitely have to deviate from the traditional fork/change process state/exec" model. But it's also not beyond feasible. On Wed, Dec 16, 2020 at 10:00 AM Russtopia <rma...@gmail.com> wrote: > My bad ... I see too late that someone already filed an issue with the > molly-brown project about this. > > https://tildegit.org/solderpunk/molly-brown/issues/16 > > > On Wed, 16 Dec 2020 at 00:49, Russtopia <rma...@gmail.com> wrote: > >> The experimental 'Project Gemini' [https://gemini.circumlunar.space/] >> has a few servers written in Go, and one in particular [ >> https://tildegit.org/solderpunk/molly-brown] makes this claim: >> >> It is very important to be aware that programs written in Go are unable >>> to reliably change their UID once started, due to how goroutines are >>> implemented on unix systems. As an unavoidable consequence of this, CGI >>> processes started by Molly Brown are run as the same user as the server >>> process. >> >> >> Surely this is not true? This claim seems to suggest a big security issue >> that I would hope can be refuted by Go experts -- perhaps the maintainers >> of the molly-brown project could be guided to a solution so this >> scary claim could be removed. >> >> I wanted to try out the above server but am hesitant to do so given the >> above ... >> >> -R. >> >> >> -- > You received this message because you are subscribed to the Google Groups > "golang-nuts" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to golang-nuts+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/golang-nuts/CAN4yCu8jcGfx0tuW7YL3itVh-k1YYxYTSRAaB_bCLdNBce_RpA%40mail.gmail.com > <https://groups.google.com/d/msgid/golang-nuts/CAN4yCu8jcGfx0tuW7YL3itVh-k1YYxYTSRAaB_bCLdNBce_RpA%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/CAEkBMfHqtdt8bCjB7g-GJ-nmjfSMZXi3%3DXLBxv5PgJDfc%2BEmNg%40mail.gmail.com.
