commit f26d624479a3b6666ef86d1e73e07a003b856db8
from: Stefan Sperling <stsp@stsp.name>
date: Tue Jan 14 11:29:28 2025 UTC

make gotwebd's parent process drop root privileges

Once the configuration has been applied the parent process
does nothing which would require root privileges.

ok jamsek

commit - 34b2702155c3b2f22d92d76d2f807e818ad5789f
commit + f26d624479a3b6666ef86d1e73e07a003b856db8
blob - aa4091b4467fdc10e4afd07ab963ee00e007b1b7
blob + e1431f1522e659e8264737dc0d9ca3dd20f72dc4
--- gotwebd/gotwebd.c
+++ gotwebd/gotwebd.c
@@ -402,6 +402,11 @@ main(int argc, char **argv)
 	if (gotwebd_configure(env) == -1)
 		fatalx("configuration failed");
 
+	if (setgroups(1, &pw->pw_gid) == -1 ||
+	    setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1 ||
+	    setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) == -1)
+		fatal("failed to drop privileges");
+
 #ifdef PROFILE
 	if (unveil("gmon.out", "rwc") != 0)
 		err(1, "gmon.out");