fixed broken group membership changing of webserver (Closes: #114)
This commit is contained in:
parent
68e0cddc59
commit
9ce310035a
2 changed files with 22 additions and 4 deletions
|
@ -142,7 +142,7 @@ def call_event(args):
|
|||
def isWriteable(device, force_dev_type=None):
|
||||
"""check if the calling user (not root!) has write access to the device/file
|
||||
|
||||
the real (not the effictive) user id is used for the check
|
||||
the real (not the effective) user id is used for the check
|
||||
additionally the permissions of the default groups of the real uid are checked
|
||||
this check works nicely together with "super", as it changes (by default) only
|
||||
the effective uid (not the real uid)
|
||||
|
|
|
@ -116,7 +116,7 @@ class CryptoBoxWebserver:
|
|||
import pwd, grp
|
||||
user_entry = pwd.getpwuid(self.opts.user)
|
||||
## get the new uid and gid
|
||||
pw_uid, pw_gid = user_entry[2], user_entry[3]
|
||||
pw_name, pw_uid, pw_gid = user_entry[0], user_entry[2], user_entry[3]
|
||||
## change the owner of the webserver log file
|
||||
try:
|
||||
os.chown(self.opts.logfile, pw_uid, pw_gid)
|
||||
|
@ -126,7 +126,7 @@ class CryptoBoxWebserver:
|
|||
## calculate additional groups of the given user
|
||||
additional_groups = [ entry[2]
|
||||
for entry in grp.getgrall()
|
||||
if pw_uid in entry[3] ]
|
||||
if pw_name in entry[3] ] + [ pw_gid ]
|
||||
return (pw_uid, pw_gid, additional_groups)
|
||||
|
||||
|
||||
|
@ -155,6 +155,21 @@ class CryptoBoxWebserver:
|
|||
sys.stderr.write("Failed to restore privileges: %s\n" % err_msg)
|
||||
|
||||
|
||||
def change_groups(self):
|
||||
"""Change the groups of the current process to the ones of the given user
|
||||
|
||||
we have to do this before we call cherrypy.server.start(), as it somehow
|
||||
remembers the current setting for any thread it will create later
|
||||
"""
|
||||
if self.opts.user is None:
|
||||
return
|
||||
(pw_uid, pw_gid, additional_groups) = self.get_user_info()
|
||||
try:
|
||||
os.setgroups(additional_groups)
|
||||
except OSError, err_msg:
|
||||
sys.stderr.write("Failed to change the groups: %s\n" % err_msg)
|
||||
|
||||
|
||||
def drop_privileges_permanently(self):
|
||||
"""Drop all privileges of the current process and acquire the privileges of the
|
||||
given user instead.
|
||||
|
@ -163,7 +178,7 @@ class CryptoBoxWebserver:
|
|||
return
|
||||
(pw_uid, pw_gid, additional_groups) = self.get_user_info()
|
||||
try:
|
||||
os.setgroups(additional_groups)
|
||||
## setgroups happened before (see 'change_groups')
|
||||
os.setregid(pw_gid, pw_gid)
|
||||
os.setreuid(pw_uid, pw_uid)
|
||||
except OSError, err_msg:
|
||||
|
@ -173,6 +188,9 @@ class CryptoBoxWebserver:
|
|||
|
||||
def start(self):
|
||||
try:
|
||||
## first: change the groups (cherrypy.server.start stores the
|
||||
## current setting for creating new threads later
|
||||
self.change_groups()
|
||||
cherrypy.server.start(initOnly=True)
|
||||
self.drop_privileges_permanently()
|
||||
cherrypy.server.wait_for_http_ready()
|
||||
|
|
Loading…
Reference in a new issue