Giters

miekg / caddy-user

Caddy module that changes to a different user before serving the request

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

caddy-user

This caddy module performs a setuid on the goroutine handling the request. This works.

@@@@@@@@@
HOWEVER DUE TO THE UNIX PROCESS MODEL IT CAN'T WORK
@@@@@@@@@

Setuid works on the entire process, not a single goroutine. So while this does what is advertized, it can't work for concurrent requests or even setuid-ing to different user accounts.

Take this example:

  • caddy runs as 'root'
  • request comes in, setuid to 'x', caddy now runs as 'x'
  • another request comes in, setuid to 'y' fails as user 'x' is not allowed to do that
  • last request will run under the user 'x'
  • request for x is completed, caddy reverts back to 'root'

So this will sometimes do what you expect.

A nicer idea might be to start Caddy, fork into multiple caddys and somehow solve it there.

Another alternative is running a proxy in front of caddys running as different users (and potentially different ports).

About

Caddy module that changes to a different user before serving the request

License:Apache License 2.0

Languages

Language:Go 100.0%