fixed broken group membership changing of webserver (Closes: #114)
This commit is contained in:
parent
68e0cddc59
commit
9ce310035a
|
@ -142,7 +142,7 @@ def call_event(args):
|
||||||
def isWriteable(device, force_dev_type=None):
|
def isWriteable(device, force_dev_type=None):
|
||||||
"""check if the calling user (not root!) has write access to the device/file
|
"""check if the calling user (not root!) has write access to the device/file
|
||||||
|
|
||||||
the real (not the effictive) user id is used for the check
|
the real (not the effective) user id is used for the check
|
||||||
additionally the permissions of the default groups of the real uid are checked
|
additionally the permissions of the default groups of the real uid are checked
|
||||||
this check works nicely together with "super", as it changes (by default) only
|
this check works nicely together with "super", as it changes (by default) only
|
||||||
the effective uid (not the real uid)
|
the effective uid (not the real uid)
|
||||||
|
|
|
@ -116,7 +116,7 @@ class CryptoBoxWebserver:
|
||||||
import pwd, grp
|
import pwd, grp
|
||||||
user_entry = pwd.getpwuid(self.opts.user)
|
user_entry = pwd.getpwuid(self.opts.user)
|
||||||
## get the new uid and gid
|
## get the new uid and gid
|
||||||
pw_uid, pw_gid = user_entry[2], user_entry[3]
|
pw_name, pw_uid, pw_gid = user_entry[0], user_entry[2], user_entry[3]
|
||||||
## change the owner of the webserver log file
|
## change the owner of the webserver log file
|
||||||
try:
|
try:
|
||||||
os.chown(self.opts.logfile, pw_uid, pw_gid)
|
os.chown(self.opts.logfile, pw_uid, pw_gid)
|
||||||
|
@ -126,7 +126,7 @@ class CryptoBoxWebserver:
|
||||||
## calculate additional groups of the given user
|
## calculate additional groups of the given user
|
||||||
additional_groups = [ entry[2]
|
additional_groups = [ entry[2]
|
||||||
for entry in grp.getgrall()
|
for entry in grp.getgrall()
|
||||||
if pw_uid in entry[3] ]
|
if pw_name in entry[3] ] + [ pw_gid ]
|
||||||
return (pw_uid, pw_gid, additional_groups)
|
return (pw_uid, pw_gid, additional_groups)
|
||||||
|
|
||||||
|
|
||||||
|
@ -155,6 +155,21 @@ class CryptoBoxWebserver:
|
||||||
sys.stderr.write("Failed to restore privileges: %s\n" % err_msg)
|
sys.stderr.write("Failed to restore privileges: %s\n" % err_msg)
|
||||||
|
|
||||||
|
|
||||||
|
def change_groups(self):
|
||||||
|
"""Change the groups of the current process to the ones of the given user
|
||||||
|
|
||||||
|
we have to do this before we call cherrypy.server.start(), as it somehow
|
||||||
|
remembers the current setting for any thread it will create later
|
||||||
|
"""
|
||||||
|
if self.opts.user is None:
|
||||||
|
return
|
||||||
|
(pw_uid, pw_gid, additional_groups) = self.get_user_info()
|
||||||
|
try:
|
||||||
|
os.setgroups(additional_groups)
|
||||||
|
except OSError, err_msg:
|
||||||
|
sys.stderr.write("Failed to change the groups: %s\n" % err_msg)
|
||||||
|
|
||||||
|
|
||||||
def drop_privileges_permanently(self):
|
def drop_privileges_permanently(self):
|
||||||
"""Drop all privileges of the current process and acquire the privileges of the
|
"""Drop all privileges of the current process and acquire the privileges of the
|
||||||
given user instead.
|
given user instead.
|
||||||
|
@ -163,7 +178,7 @@ class CryptoBoxWebserver:
|
||||||
return
|
return
|
||||||
(pw_uid, pw_gid, additional_groups) = self.get_user_info()
|
(pw_uid, pw_gid, additional_groups) = self.get_user_info()
|
||||||
try:
|
try:
|
||||||
os.setgroups(additional_groups)
|
## setgroups happened before (see 'change_groups')
|
||||||
os.setregid(pw_gid, pw_gid)
|
os.setregid(pw_gid, pw_gid)
|
||||||
os.setreuid(pw_uid, pw_uid)
|
os.setreuid(pw_uid, pw_uid)
|
||||||
except OSError, err_msg:
|
except OSError, err_msg:
|
||||||
|
@ -173,6 +188,9 @@ class CryptoBoxWebserver:
|
||||||
|
|
||||||
def start(self):
|
def start(self):
|
||||||
try:
|
try:
|
||||||
|
## first: change the groups (cherrypy.server.start stores the
|
||||||
|
## current setting for creating new threads later
|
||||||
|
self.change_groups()
|
||||||
cherrypy.server.start(initOnly=True)
|
cherrypy.server.start(initOnly=True)
|
||||||
self.drop_privileges_permanently()
|
self.drop_privileges_permanently()
|
||||||
cherrypy.server.wait_for_http_ready()
|
cherrypy.server.wait_for_http_ready()
|
||||||
|
|
Loading…
Reference in a new issue