diff --git a/cmd/dominator/main.go b/cmd/dominator/main.go index 5b898018..63540344 100644 --- a/cmd/dominator/main.go +++ b/cmd/dominator/main.go @@ -1,15 +1,11 @@ package main import ( - "errors" "flag" "fmt" _ "net/http/pprof" "os" - "os/user" "path" - "runtime" - "strconv" "syscall" "time" @@ -22,7 +18,6 @@ import ( "github.com/Symantec/Dominator/lib/mdb/mdbd" objectserver "github.com/Symantec/Dominator/lib/objectserver/filesystem" "github.com/Symantec/Dominator/lib/srpc/setupserver" - "github.com/Symantec/Dominator/lib/wsyscall" "github.com/Symantec/tricorder/go/tricorder" ) @@ -50,8 +45,6 @@ var ( "Port number to allocate and listen on for HTTP/RPC") stateDir = flag.String("stateDir", "/var/lib/Dominator", "Name of dominator state directory.") - username = flag.String("username", "", - "If running as root, username to switch to.") ) func showMdb(mdb *mdb.Mdb) { @@ -68,39 +61,6 @@ func getFdLimit() uint64 { return rlim.Max } -func setUser(username string) error { - // Lock to OS thread so that UID change sticks to this goroutine and the - // re-exec at the end. wsyscall.SetAllUid() only affects one thread on - // Linux. - runtime.LockOSThread() - if username == "" { - return errors.New("-username argument missing") - } - newUser, err := user.Lookup(username) - if err != nil { - return err - } - uid, err := strconv.Atoi(newUser.Uid) - if err != nil { - return err - } - gid, err := strconv.Atoi(newUser.Gid) - if err != nil { - return err - } - if uid == 0 { - return errors.New("Do not run the Dominator as root") - os.Exit(1) - } - if err := wsyscall.SetAllGid(gid); err != nil { - return err - } - if err := wsyscall.SetAllUid(uid); err != nil { - return err - } - return syscall.Exec(os.Args[0], os.Args, os.Environ()) -} - func pathJoin(first, second string) string { if path.IsAbs(second) { return path.Clean(second) @@ -122,6 +82,10 @@ func newObjectServer(objectsDir string, logger log.DebugLogger) ( } func main() { + if os.Geteuid() == 0 { + fmt.Fprintln(os.Stderr, "Do not run the Dominator as root") + os.Exit(1) + } flag.Parse() tricorder.RegisterFlags() logger := serverlogger.New("") @@ -137,12 +101,6 @@ func main() { fmt.Fprintf(os.Stderr, "Cannot set FD limit\t%s\n", err) os.Exit(1) } - if os.Geteuid() == 0 { - if err := setUser(*username); err != nil { - fmt.Fprintln(os.Stderr, err) - os.Exit(1) - } - } fi, err := os.Lstat(*stateDir) if err != nil { fmt.Fprintf(os.Stderr, "Cannot stat: %s\t%s\n", *stateDir, err) diff --git a/cmd/filegen-server/main.go b/cmd/filegen-server/main.go index 0b92eedd..b23a14a0 100644 --- a/cmd/filegen-server/main.go +++ b/cmd/filegen-server/main.go @@ -33,13 +33,13 @@ func printUsage() { } func main() { - flag.Usage = printUsage - flag.Parse() - tricorder.RegisterFlags() if os.Geteuid() == 0 { fmt.Fprintln(os.Stderr, "Do not run the filegen server as root") os.Exit(1) } + flag.Usage = printUsage + flag.Parse() + tricorder.RegisterFlags() logger := serverlogger.New("") if err := setupserver.SetupTls(); err != nil { if *permitInsecureMode { diff --git a/cmd/imageserver/main.go b/cmd/imageserver/main.go index 67b24022..da9db89d 100644 --- a/cmd/imageserver/main.go +++ b/cmd/imageserver/main.go @@ -40,12 +40,12 @@ type imageObjectServersType struct { } func main() { - flag.Parse() - tricorder.RegisterFlags() if os.Geteuid() == 0 { fmt.Fprintln(os.Stderr, "Do not run the Image Server as root") os.Exit(1) } + flag.Parse() + tricorder.RegisterFlags() logger := serverlogger.New("") if err := setupserver.SetupTls(); err != nil { if *permitInsecureMode { diff --git a/cmd/mdbd/main.go b/cmd/mdbd/main.go index 1a29b528..9e775217 100644 --- a/cmd/mdbd/main.go +++ b/cmd/mdbd/main.go @@ -140,6 +140,10 @@ func showErrorAndDie(err error) { } func main() { + if os.Geteuid() == 0 { + fmt.Fprintln(os.Stderr, "Do not run the MDB daemon as root") + os.Exit(1) + } flag.Usage = printUsage flag.Parse() tricorder.RegisterFlags()