adrop /
bind sockets then drop privleges, passing the file descriptors to a command
git clone

# adrop

Usage: ./adrop {OPTIONS} [SOCKETS..] -- [COMMAND..]

  Bind sockets then drop privileges, passsing the file descriptors to COMMAND.

Quick examples:

  Bound ports with positional arguments:

    sudo ./adrop -u www-daemon -g www --respawn 80 443 \
      -- node server.js --http-fd={} --https-fd={}

  Bound ports with named arguments:

    sudo ./adrop -u email:email imap_plain=143 imap_ssl=993 smtp0=25 smtp1=587 smtp2=2525 \
      -- ./smtp --smtp-plain={smtp0},{smtp1},{smtp2} \
        --imap-plain={imap_plain} --imap-ssl={imap_ssl}

  Bound ipv4 and ipv6 ports with indexed arguments:

    sudo ./adrop -u xyzw [::1]:700 \
      -- python --ipv4_fd={0} --ipv6_fd={1}


  -h --help

    Print this message and exit.


    Print the version number of this software and exit.

  -u USER, --user=USER

    Call setuid() with USER as an id or name.


    Call setuid() with USER and setgid() with GROUP, both as an id or name.

  -g GROUP --group=GROUP

    Call setgid() with GROUP as an id or name.

  -r --respawn

    When COMMAND terminates, run the COMMAND again.

  -q --quiet

    Suppress output when a process exits in respawn mode.

  -d DELAY --delay=DELAY

    Wait DELAY seconds between retries when --respawn is given. Default: 1.0


    Set an environment variable KEY as VALUE when executing COMMAND.

  -E --preserve-env

    Pass through all environment variables to COMMAND.
    By default, no environment variables are passed through.

Each SOCKET is of the form:

  HOST:PORT   bind tcp port with explicit AF_INET or AF_INET6 address
  PORT        bind tcp port on
  HOST:uPORT  bind udp port with explicit AF_INET or AF_INET6 address
  uPORT       bind udp port on
  /PATH       AF_UNIX tcp socket with absolute path
  ./PATH      AF_UNIX tcp socket with relative path
  udp:/PATH   AF_UNIX udp socket with absolute path
  udp:./PATH  AF_UNIX udp socket with relative path

  Each SOCKET may be prepended by "KEY=" for a named "{KEY}" instead of
  a positional substitution in COMMAND.

  To provide multiple HOST addresses for the same PORT, provide HOST:PORT
  pairs multiple times with the same PORT, one for each HOST.

COMMAND is a program to execute with a list of arguments:

  COMMAND will be run via exec() to take over file descriptors after running
  setuid() and/or setgid() or via fork() if --respawn is used.

  The COMMAND string may contain the special string "{}" which will be
  replaced with the corresponding file descriptor for SOCKET in the order
  provided in the SOCKETS section, left to right.

  You can also use {N} to get at the Nth (starting from 0) file descriptor
  or {KEY} to get at a socket with a name given by KEY=.