[lnkForumImage]
TotalShareware - Download Free Software
Confronta i prezzi di migliaia di prodotti.
Asp Forum
 Home | Login | Register | Search 


 

Forums >

comp.lang.ruby

Reducing Permissions

Jon Raphaelson

4/3/2005 6:07:00 PM

Is there a way to programtically reduce permissions that doesn't involve
`su -l #{config.name}`? I need the server started as root so that it
can do a chroot, but then I don't want it executing as root, but as a
special user created for the purpose. Also, I'm hoping that there is
something already done that's cross-platform(ish).

Any ideas? Thanks!

Jon
3 Answers

James Gray

4/3/2005 6:12:00 PM

0


On Apr 3, 2005, at 1:06 PM, Jon Raphaelson wrote:

> Is there a way to programtically reduce permissions that doesn't
> involve `su -l #{config.name}`? I need the server started as root so
> that it can do a chroot, but then I don't want it executing as root,
> but as a special user created for the purpose. Also, I'm hoping that
> there is something already done that's cross-platform(ish).
>
> Any ideas? Thanks!

Not really that answer you asked for, but I just use Dir#chroot to
isolate a process like that. Hope that helps.

James Edward Gray II

ES

4/3/2005 6:33:00 PM

0


Le 3/4/2005, "Jon Raphaelson" <jonraphaelson@gmail.com> a écrit:
>Is there a way to programtically reduce permissions that doesn't involve
> `su -l #{config.name}`? I need the server started as root so that it
>can do a chroot, but then I don't want it executing as root, but as a
>special user created for the purpose. Also, I'm hoping that there is
>something already done that's cross-platform(ish).

You probably want a wrapper script to do the chroot (Dir#chroot)
and then su to start the application.

>Any ideas? Thanks!
>
>Jon

E

No-one expects the Solaris POSIX implementation!

Andre Nathan

4/3/2005 9:00:00 PM

0

Jon Raphaelson said:
> Is there a way to programtically reduce permissions
[...]
> Any ideas? Thanks!

I use this in one of my projects:

def drop_privileges(user='nobody')
pw = Etc::getpwnam(user)
begin
Dir.chdir(pw.dir)
Dir.chroot(pw.dir)
Dir.chdir('/')
rescue => e
puts "Cannot chroot to #{pw.dir}: #{e}"
exit
end

Process::initgroups(user, pw.gid)
begin
Process::Sys::setresgid(pw.gid, pw.gid, pw.gid)
Process::Sys::setresuid(pw.uid, pw.uid, pw.uid)
rescue NotImplementedError
# Try something portable... might not be as secure though
Process::Sys::setegid(pw.gid)
Process::Sys::setgid(pw.gid)
Process::Sys::setuid(pw.uid)
rescue => e
puts "Cannot drop privileges: #{e}"
exit
end
end

Tested on *BSD and linux. At least NetBSD doesn't implement the
setres* system calls (which aren't defined by POSIX), so I added the
rescue for NotImplementedError.

HTH,
Andre