Allow dropping privs

2024-12-22 12:54:24 +01:00 · 2013-05-03 22:26:07 +02:00 · 2013-05-03 22:26:07 +02:00 · e0c3073d82
commit e0c3073d82
parent c885e875ad
2 changed files with 7 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -26,6 +26,9 @@ Create a configuration file in YAML format somewhere:
 # listen address and port
 host: "0.0.0.0"
 port: "8080"
+# optional: drop priviliges in case you want to but you should give this user at least read access on the log files
+user: "nobody"
+group: "nogroup"
 # logfile is optional, logs to STDOUT else
 logfile: "openvpn-status-web.log"
 # display name for humans and the status file path
--- a/lib/openvpn-status-web.rb
+++ b/lib/openvpn-status-web.rb
@ -105,6 +105,10 @@ module OpenVPNStatusWeb

      OpenVPNStatusWeb.logger.info "Starting..."

+      # drop privs (first change group than user)
+      Process::Sys.setgid(Etc.getgrnam(config['group']).gid) if config['group']
+      Process::Sys.setuid(Etc.getpwnam(config['user']).uid) if config['user']
+
      # configure rack
      app = Daemon.new(config['vpns'])
      if ENV['RACK_ENV'] == "development"