New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
runtime: Go programs should be able to drop capabilities #13838
Comments
This introduces too much API to the runtime, we should just
fix the original issue.
BTW, if you really want to do setuid/setgid and capabilities
stuff, use cgo, and glibc will handle everything automatically.
|
|
Duplicate of #1435. |
I marked this as a duplicate of #1435 and I tagged #1435 for consideration in Go 1.7. The runtime package is certainly the wrong place for this API. Perhaps the os package, but even there I worry that it's too customized for Linux. The right fix really is to make syscall.Setuid/syscall.Setgid behave as one would expect. The discussion on #1435 explains why this is difficult, but it's still the right fix. |
For the record, I think the right place for specific control of Linux capabilities (the Go equivalent of cap_get_proc/cap_set_proc) is golang.org/x/sys/unix. |
@ianlancetaylor, yes, those should go there. (I'm unclear about whether
they have the same thread issues as setuid/setgid.)
|
In issue #1435 it has been suggested to use capabilities as a workaround to achieve security. To make this workaround viable, internal threads created by the Go runtime before main() even starts need to drop all capabilities, because the user thread running main() is not permitted to do that.
In addition there should probably be a mask in the runtime package that determines which capabilities are preserved when the Go runtime creates new threads. And for convenience there should be a function to drop capabilities in the current thread (although this can be done with cgo and is therefore secondary)
The idea is to make the following work
The text was updated successfully, but these errors were encountered: