On Thu, Mar 17, 2022 at 06:34:28PM -0000, Stuart Henderson wrote: > On 2022-03-16, Marc Espie <es...@nerim.net> wrote: > > On Tue, Mar 15, 2022 at 11:32:19PM +0100, i...@tutanota.com wrote: > >> Since Go has support for pledge and unveil, I was thinking about > >> "imitating" the setup for httpd. > >> > >> I basically need to run a Go webserver with access to MariaDB, > >> but would like to chroot the Go webserver. > >> > >> I was thinking that since Go by default doesn't run a webserver on > >> port 80 or 443, I would just spawn as www user on some higher > >> port and then use PF to redirect. > > > > The age old practice of dropping privileges just works. > > > > I assume go has bindings for setuid() and friends. > > Go software doesn't usually like to do this because of some issue > with doing so on Linux that I don't _think_ apply to OpenBSD. > And they have the "allow binding to low ports as a non-root uid" > setcap thingy so nobody fixes it. (That would have been much more > acceptable if it was a "bind to _a specific_ low port"...) >
Since Go 1.16 this issue has been fixed, at least for static and glibc-based builds (not sure about musl libc). See https://github.com/golang/go/commit/d1b1145cace8b968307f9311ff611e4bb810710c and https://github.com/golang/go/commit/d1b1145cace8b968307f9311ff611e4bb810710c And you're correct--the issue was always specific to Linux. But until Go few people cared because glibc and musl contained hacks to transparently implement POSIX semantics--process-global, not thread-local. However, Go spawns threads directly, rather than using libc's pthreads API and its setuid, et al syscall wrappers, which emulate proper behavior. Such workarounds aren't necessary on OpenBSD, even if not using the libc userspace APIs, as credentials are process-global in the kernel.
