On 2022-03-16, Marc Espie <es...@nerim.net> wrote: > On Tue, Mar 15, 2022 at 11:32:19PM +0100, i...@tutanota.com wrote: >> Since Go has support for pledge and unveil, I was thinking about >> "imitating" the setup for httpd. >> >> I basically need to run a Go webserver with access to MariaDB, >> but would like to chroot the Go webserver. >> >> I was thinking that since Go by default doesn't run a webserver on >> port 80 or 443, I would just spawn as www user on some higher >> port and then use PF to redirect. > > The age old practice of dropping privileges just works. > > I assume go has bindings for setuid() and friends.
Go software doesn't usually like to do this because of some issue with doing so on Linux that I don't _think_ apply to OpenBSD. And they have the "allow binding to low ports as a non-root uid" setcap thingy so nobody fixes it. (That would have been much more acceptable if it was a "bind to _a specific_ low port"...)
