commit 006fe0beda9a4ed7cc63840ee601bf51d14547b9
from: Stefan Sperling <stsp@stsp.name>
via: Thomas Adam <thomas@xteddy.org>
date: Fri Jan 24 22:02:34 2025 UTC

make gotwebd's parent process drop root privileges

Once the configuration has been applied the parent process
does nothing which would require root privileges.

ok jamsek

commit - fd025130ffb23d779b740391823f305518b39ee1
commit + 006fe0beda9a4ed7cc63840ee601bf51d14547b9
blob - 2bc2708116c9d2831f580e47f54ca0d39937da1a
blob + 2cd22d916b72cc071d7b497b36d34cb0e7e8aebb
--- gotwebd/gotwebd.c
+++ gotwebd/gotwebd.c
@@ -402,6 +402,11 @@ main(int argc, char **argv)
 	if (gotwebd_configure(env) == -1)
 		fatalx("configuration failed");
 
+	if (setgroups(1, &pw->pw_gid) == -1 ||
+	    setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1 ||
+	    setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) == -1)
+		fatal("failed to drop privileges");
+
 #ifdef PROFILE
 	if (unveil("gmon.out", "rwc") != 0)
 		err(1, "gmon.out");