On Thu, Mar 17, 2022 at 09:41:13PM +0100, i...@tutanota.com wrote: > >> I assume go has bindings for setuid() and friends. > > > Go software doesn't usually like to do this because of some issue > > with doing so on Linux that I don't _think_ apply to OpenBSD. And > > they have the "allow binding to low ports as a non-root uid" setcap > > thingy so nobody fixes it. (That would have been much more acceptable > > if it was a "bind to _a specific_ low port"...) > > For future reference, if someone stumbles upon this. > > I found this: > > https://stackoverflow.com/questions/41248866/golang-dropping-privileges-v1-7 > > And this (Linux specific): > > https://git.kernel.org/pub/scm/libs/libcap/libcap.git/tree/goapps/web > > The PF solution seems simpler to implement.
Since Go 1.16 this issue has been fixed, at least for static and glibc-based builds (not sure about musl libc). See https://github.com/golang/go/commit/d1b1145cace8b968307f9311ff611e4bb810710c and https://github.com/golang/go/commit/d1b1145cace8b968307f9311ff611e4bb810710c But it was never an issue on OpenBSD, anyhow; rather a problem with how Linux implements these syscalls in the kernel. On OpenBSD things will work as expected, without requiring any hacks. The libcap hack is specific to Linux specific because the problem is specific to Linux.
