From 165301c42b14a7096eaa31f631c402361872db88 Mon Sep 17 00:00:00 2001
From: David Phillips <david@sighup.nz>
Date: Fri, 17 Mar 2017 21:40:20 +1300
Subject: Add privellege dropping

---
 bot.conf.example | 2 ++
 saxrobot         | 8 ++++++++
 sb_config.pm     | 8 +++++++-
 3 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/bot.conf.example b/bot.conf.example
index 752537e..f3ebb20 100644
--- a/bot.conf.example
+++ b/bot.conf.example
@@ -7,4 +7,6 @@ ignore   = trumpetbot,abusiveuser
 password = pleffquiffle
 admins   = snargle!~kleg@glarg.example.com
 must_id  = 1
+user     = nobody
+group    = nobody
 triggers = 'sa+x' => '🎷 ', 'trumpet' => '🎺 ', 'snake' => '🐍 '
diff --git a/saxrobot b/saxrobot
index 0dcd5f1..065e01a 100755
--- a/saxrobot
+++ b/saxrobot
@@ -2,6 +2,7 @@
 
 use strict;
 use warnings;
+use POSIX qw(setuid setgid);
 use POE;
 use POE::Kernel;
 use POE::Component::IRC;
@@ -33,8 +34,15 @@ POE::Session->create(
 	heap => { irc => $irc },
 );
 
+drop_priv();
+
 $poe_kernel->run();
 
+sub drop_priv {
+	setgid($config{gid}) or die "Failed to setgid: $!\n";
+	setuid($config{uid}) or die "Failed to setuid: $!\n";
+}
+
 sub _start {
 	my $heap = $_[HEAP];
 	my $irc = $heap->{irc};
diff --git a/sb_config.pm b/sb_config.pm
index dcff683..ade80b8 100644
--- a/sb_config.pm
+++ b/sb_config.pm
@@ -8,7 +8,7 @@ use Config::Tiny;
 
 sub parse_config
 {
-	my @scalar_configs = ('nick', 'username', 'ircname', 'server', 'port', 'password', 'must_id');
+	my @scalar_configs = ('nick', 'username', 'ircname', 'server', 'port', 'password', 'must_id', 'user', 'group');
 	my @list_configs = ('channels', 'ignore', 'admins');
 	my $file = $_[0];
 	my %built_config;
@@ -35,6 +35,12 @@ sub parse_config
 		$triggers{$match} = $response;
 	}
 
+	$built_config{uid} = getpwnam($built_config{user})
+		or die "Cannot get uid of $built_config{user}: $!\n";
+	$built_config{gid} = getgrnam($built_config{group})
+		or die "Cannot get gid of $built_config{group}: $!\n";
+
+
 	$built_config{triggers} = \%triggers;
 
 	return %built_config;
-- 
cgit v1.1