Loading Dockerfile +2 −1 Original line number Diff line number Diff line Loading @@ -54,6 +54,7 @@ COPY --from=build /usr/local/lib /usr/local/lib COPY data/docker-config.yaml /etc/authdb/config.yaml USER authdb RUN chown -R authdb:authdb /var/lib/authdb CMD ["authdb","-f","true","-c","yaml://etc/authdb/config.yaml"] src/authdb.cpp +23 −23 Original line number Diff line number Diff line Loading @@ -678,29 +678,6 @@ int main(int argc,char *argv[]){ } } /* Drop privileges after all sockets are bound */ #ifndef _WIN32 if (getuid() == 0) { struct passwd *pw = getpwnam("authdb"); if (pw) { if (setgid(pw->pw_gid) != 0) { std::cerr << "setgid failed" << std::endl; return 1; } if (initgroups("authdb", pw->pw_gid) != 0) { std::cerr << "initgroups failed" << std::endl; return 1; } if (setuid(pw->pw_uid) != 0) { std::cerr << "setuid failed" << std::endl; return 1; } } else { std::cerr << "user authdb not found, running as root" << std::endl; } } #endif // Instantiate session store: cluster-aware or local-only std::unique_ptr<authdb::Session> sessionStore; if (clusterEnabled) { Loading Loading @@ -774,6 +751,29 @@ int main(int argc,char *argv[]){ /* Init plugins while still root — bind privileged ports (88, 389, etc.) */ pluginMgr.initAll(); /* Drop privileges after all sockets are bound */ #ifndef _WIN32 if (getuid() == 0) { struct passwd *pw = getpwnam("authdb"); if (pw) { if (setgid(pw->pw_gid) != 0) { std::cerr << "setgid failed" << std::endl; return 1; } if (initgroups("authdb", pw->pw_gid) != 0) { std::cerr << "initgroups failed" << std::endl; return 1; } if (setuid(pw->pw_uid) != 0) { std::cerr << "setuid failed" << std::endl; return 1; } } else { std::cerr << "user authdb not found, running as root" << std::endl; } } #endif /* Start each plugin in its own background thread (runs as unprivileged user) */ std::vector<std::thread> pluginThreads; for (auto &[pname, lp] : pluginMgr.plugins()) { Loading Loading
Dockerfile +2 −1 Original line number Diff line number Diff line Loading @@ -54,6 +54,7 @@ COPY --from=build /usr/local/lib /usr/local/lib COPY data/docker-config.yaml /etc/authdb/config.yaml USER authdb RUN chown -R authdb:authdb /var/lib/authdb CMD ["authdb","-f","true","-c","yaml://etc/authdb/config.yaml"]
src/authdb.cpp +23 −23 Original line number Diff line number Diff line Loading @@ -678,29 +678,6 @@ int main(int argc,char *argv[]){ } } /* Drop privileges after all sockets are bound */ #ifndef _WIN32 if (getuid() == 0) { struct passwd *pw = getpwnam("authdb"); if (pw) { if (setgid(pw->pw_gid) != 0) { std::cerr << "setgid failed" << std::endl; return 1; } if (initgroups("authdb", pw->pw_gid) != 0) { std::cerr << "initgroups failed" << std::endl; return 1; } if (setuid(pw->pw_uid) != 0) { std::cerr << "setuid failed" << std::endl; return 1; } } else { std::cerr << "user authdb not found, running as root" << std::endl; } } #endif // Instantiate session store: cluster-aware or local-only std::unique_ptr<authdb::Session> sessionStore; if (clusterEnabled) { Loading Loading @@ -774,6 +751,29 @@ int main(int argc,char *argv[]){ /* Init plugins while still root — bind privileged ports (88, 389, etc.) */ pluginMgr.initAll(); /* Drop privileges after all sockets are bound */ #ifndef _WIN32 if (getuid() == 0) { struct passwd *pw = getpwnam("authdb"); if (pw) { if (setgid(pw->pw_gid) != 0) { std::cerr << "setgid failed" << std::endl; return 1; } if (initgroups("authdb", pw->pw_gid) != 0) { std::cerr << "initgroups failed" << std::endl; return 1; } if (setuid(pw->pw_uid) != 0) { std::cerr << "setuid failed" << std::endl; return 1; } } else { std::cerr << "user authdb not found, running as root" << std::endl; } } #endif /* Start each plugin in its own background thread (runs as unprivileged user) */ std::vector<std::thread> pluginThreads; for (auto &[pname, lp] : pluginMgr.plugins()) { Loading