feature request for group parameter
1 view
Skip to first unread message
bessarabov
Aug 31, 2010, 10:18:51 AM8/31/10
to Ubic
Here is a SimpleDaemon example:
use Ubic::Service::SimpleDaemon;
my $service = Ubic::Service::SimpleDaemon->new({
bin => "touch /tmp/test; sleep 10",
user => "www-data",
stdout => "/var/log/ubic_log/test.out",
stderr => "/var/log/ubic_log/test.err",
});
Start this service and check file permissions. You'll see something
like this:
-rw-r--r-- 1 www-data root 0 2010-08-31 18:11 /tmp/test
Ubic does use POSIX::setuid for setting user, but does not use setgid
for setting group.
In our environment we sometimes need the ability to specify the group
for the service.
Do you think that this feature is worth implementing?
use Ubic::Service::SimpleDaemon;
my $service = Ubic::Service::SimpleDaemon->new({
bin => "touch /tmp/test; sleep 10",
user => "www-data",
stdout => "/var/log/ubic_log/test.out",
stderr => "/var/log/ubic_log/test.err",
});
Start this service and check file permissions. You'll see something
like this:
-rw-r--r-- 1 www-data root 0 2010-08-31 18:11 /tmp/test
Ubic does use POSIX::setuid for setting user, but does not use setgid
for setting group.
In our environment we sometimes need the ability to specify the group
for the service.
Do you think that this feature is worth implementing?
Вячеслав Матюхин
Aug 31, 2010, 11:20:51 AM8/31/10
to ubic...@googlegroups.com
Yes, it is definitely is worth implementing, and I consider it to be a bug, not missing feature.
We stumbled on this problem recently too and I'm currently looking for the best way to implement it.
setgid will probably be called even if group is not specified explicitly, with "main" user group as an argument.
I'm still not sure how to get this users's main group, though. "su" source code calls initgroups() function from libc for similar task, and I haven't found its perl analog yet.
--
Vyacheslav Matyukhin
http://github.com/berekuk
http://friendfeed.com/mmcleric
http://berekuk.ru
Alex Kapranoff
Aug 31, 2010, 12:08:09 PM8/31/10
to ubic...@googlegroups.com
Isn't gid returned by simple getpwent() appropriate?
Вячеслав Матюхин
Aug 31, 2010, 12:56:19 PM8/31/10
to ubic...@googlegroups.com
getpwent() doesn't take any arguments and can only be called after setuid.
And to be able to provide group both implicitly and explicitly we need group() to be the method of Ubic::Service class, which could be called from any user and still return correct value.
I worry about backward compatibity too. Will it break anything for you if your non-root daemons will suddenly become www-data/www-data instead of www-data/root?
By now, I'm preparing a quick patch with group() method returning 'root' by default and 'group' parameter to SimpleDaemon overriding it.
Alex Kapranoff
Aug 31, 2010, 1:54:47 PM8/31/10
to ubic...@googlegroups.com
Oops, I meant getpwnam().
% perl -E 'say +(getpwnam "www-data")[3]'
33Вячеслав Матюхин
Aug 31, 2010, 2:16:34 PM8/31/10
to ubic...@googlegroups.com
Thanks, this should work, don't know why i missed it.
There are also "supplementary" groups on most systems (including linux) which we should init too, though.
Alex Kapranoff
Aug 31, 2010, 2:33:05 PM8/31/10
to ubic...@googlegroups.com
getpwent() doesn't take any arguments and can only be called after setuid.Isn't gid returned by simple getpwent() appropriate?And to be able to provide group both implicitly and explicitly we need group() to be the method of Ubic::Service class, which could be called from any user and still return correct value.I worry about backward compatibity too. Will it break anything for you if your non-root daemons will suddenly become www-data/www-data instead of www-data/root?By now, I'm preparing a quick patch with group() method returning 'root' by default and 'group' parameter to SimpleDaemon overriding it.Oops, I meant getpwnam().% perl -E 'say +(getpwnam "www-data")[3]'33Thanks, this should work, don't know why i missed it.There are also "supplementary" groups on most systems (including linux) which we should init too, though.
Or should we?
As far as I understand, $) allows assigning to a space-separated list of gids. So, if one wants several effective groups he will be able to specify the list in ubic service script.
I think that setgid() to main group by default will be enough. Old supplementary group list should definitely be reset.
Вячеслав Матюхин
Aug 31, 2010, 3:34:03 PM8/31/10
to ubic...@googlegroups.com
Yes and yes, if one specifies groups explicitly.
I think that setgid() to main group by default will be enough. Old supplementary group list should definitely be reset.
I think all supplementary groups should be set too, but i still haven't found a way to get them by username without changing euid first.
For example, IIRC, on desktop ubuntu all users should belong to 'audio' group to be able to play any sound. It would be very confusing if ubic services don't have enough grants because service author didn't list them manually.
On the other hand, to set one group is definitely an improvement comparing to the current situation.
Матюхин Вячеслав
Aug 31, 2010, 4:19:27 PM8/31/10
to ubic...@googlegroups.com
31.08.10, 23:34, "Вячеслав Матюхин" <m...@berekuk.ru>:
OK, I uploaded 1.13 with group() method default to getgrgid((getpwnam $self->user)[3]).
And then there are two more changes, since I don't post separate emails about each version yet, I'll just paste them here:
* Perl6::Slurp removed from dependencies
* Ubic::Manual::FAQ now is actually added
* Ubic::Manual::FAQ now is actually added
I also found that /usr/bin/id from coreutils locates supplementary groups by walking group database with simple getgrent(), so I'll probably use it too (in later releases).
PS: oops, just remembered that I forgot to reset supplementary groups before calling setgid (and they don't reset automatically, I checked). Will fix this one tomorrow.
Reply all
Reply to author
Forward
0 new messages