You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@trafficserver.apache.org by su...@apache.org on 2019/06/10 22:42:50 UTC

[trafficserver] 01/01: Elevate privileges when loading SSL Session Ticket key file

This is an automated email from the ASF dual-hosted git repository.

sudheerv pushed a commit to branch svinukon_elevate_privs
in repository https://gitbox.apache.org/repos/asf/trafficserver.git

commit 6a2db443fca9a4d04f52c450f51c8b1e50aaac2a
Author: Sudheer Vinukonda <su...@apache.org>
AuthorDate: Mon Jun 10 15:02:11 2019 -0700

    Elevate privileges when loading SSL Session Ticket key file
---
 iocore/net/SSLConfig.cc | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc
index 0183800..36bd751 100644
--- a/iocore/net/SSLConfig.cc
+++ b/iocore/net/SSLConfig.cc
@@ -574,6 +574,11 @@ SSLTicketParams::LoadTicket(bool &nochange)
     no_default_keyblock = ticket_params->default_global_keyblock == nullptr;
   }
 
+  // elevate/allow file access to root read only files/certs
+  uint32_t elevate_setting = 0;
+  REC_ReadConfigInteger(elevate_setting, "proxy.config.ssl.cert.load_elevated");
+  ElevateAccess elevate_access(elevate_setting ? ElevateAccess::FILE_PRIVILEGE : 0); // destructor will demote for us
+
   if (REC_ReadConfigStringAlloc(ticket_key_filename, "proxy.config.ssl.server.ticket_key.filename") == REC_ERR_OKAY &&
       ticket_key_filename != nullptr) {
     ats_scoped_str ticket_key_path(Layout::relative_to(params->serverCertPathOnly, ticket_key_filename));