We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
go version
$ go version go version go1.13.3 linux/amd64
not checked
go env
$ go env GO111MODULE="" GOARCH="amd64" GOBIN="" GOCACHE="/home/ilesik/.cache/go-build" GOENV="/home/ilesik/.config/go/env" GOEXE="" GOFLAGS="" GOHOSTARCH="amd64" GOHOSTOS="linux" GONOPROXY="" GONOSUMDB="" GOOS="linux" GOPATH="/home/ilesik/enswitch/" GOPRIVATE="" GOPROXY="https://proxy.golang.org,direct" GOROOT="/usr/local/go" GOSUMDB="sum.golang.org" GOTMPDIR="" GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64" GCCGO="gccgo" AR="ar" CC="gcc" CXX="g++" CGO_ENABLED="1" GOMOD="/home/ilesik/src/enswitch/go.mod" CGO_CFLAGS="-g -O2" CGO_CPPFLAGS="" CGO_CXXFLAGS="-g -O2" CGO_FFLAGS="-g -O2" CGO_LDFLAGS="-g -O2" PKG_CONFIG="pkg-config" GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build292877042=/tmp/go-build -gno-record-gcc-switches"
Gere is code example:
makeconnection := true if makeconnection { db, err := sql.Open("mysql", "user:pwd@tcp(127.0.0.1:3306)/db?charset=utf8") if err == nil { fmt.Println("connect ok") } else { fmt.Println("connect err") } rows, _ := db.Query("select UTC_TIMESTAMP() as c") for rows.Next() { var ( name string ) if err := rows.Scan(&name); err != nil { fmt.Println(err) } fmt.Println("result %s\n", name) } db.Close() db.SetMaxIdleConns(0) db.SetMaxOpenConns(0) db = nil } syscall.Setsid() os.Chdir("/") syscall.Umask(0002) gid := 992 err = syscall.Setresgid(gid, gid, gid) log.Info("Setresgid " + strconv.Itoa(gid) + ", real : " + strconv.Itoa(syscall.Getgid())) uid := 994 err = syscall.Setresuid(uid, uid, uid) log.Info("Setresuid " + strconv.Itoa(uid) + ", real : " + strconv.Itoa(syscall.Geteuid())) //run "ps aux" and cat /proc/<pid>/status here and check user real effective user id time.Sleep(100 * time.Minute)
If I run this program as root with "makeconnection := false" I will always see it successfully dropped privileges to user (994) and group (992).
ps aux | grep test enswitch 3316 0.1 0.1 415884 6100 pts/12 Sl+ 22:44 0:00 ./bin/test
and
cat /proc//status Uid: 994 994 994 994 Gid: 992 992 992 992
But if I run it with makeconnection := true I will see privileges drop for 50% of runs...
sometimes it still root and cat /proc//status Uid: 0 0 0 0 Gid: 0 0 0 0
and sometimes its working fine!! It does not matter if db connection was successful or not. More of that : it ALWAYS outputs like it sets rights ok:
Setresgid 992, real : 992 Setresuid 994, real : 994
The text was updated successfully, but these errors were encountered:
The reason for this is a limitation of the linux kernel. See #1435
Sorry, something went wrong.
Closing as dup of #1435.
No branches or pull requests
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
not checked
What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
Gere is code example:
What did you expect to see?
If I run this program as root with "makeconnection := false" I will always see it successfully dropped privileges to user (994) and group (992).
ps aux | grep test
enswitch 3316 0.1 0.1 415884 6100 pts/12 Sl+ 22:44 0:00 ./bin/test
and
cat /proc//status
Uid: 994 994 994 994
Gid: 992 992 992 992
But if I run it with makeconnection := true
I will see privileges drop for 50% of runs...
sometimes it still root and
cat /proc//status
Uid: 0 0 0 0
Gid: 0 0 0 0
and sometimes its working fine!!
It does not matter if db connection was successful or not.
More of that : it ALWAYS outputs like it sets rights ok:
Setresgid 992, real : 992
Setresuid 994, real : 994
What did you see instead?
The text was updated successfully, but these errors were encountered: