[lnkForumImage]
TotalShareware - Download Free Software
Confronta i prezzi di migliaia di prodotti.
Asp Forum
 Home | Login | Register | Search 


 

Forums >

comp.lang.ruby

Process::GID.change_privilege not changing groups properly?

Scott McNab

6/3/2007 2:29:00 PM

Hello.

I am trying to use Process::GID.change_privilege to get a root process
to assume the full group permissions of a specified user. However, it
seems that the process does not assume the proper group permissions of
the new group.

Consider the following scenario (running on Linux Centos 5):

* I have a normal user account 'scott' with UID = GID = 502. This user
belongs to two groups ('scott' and 'testdev'), which can be seen as
follows:

[scott@localhost ~]$ irb
irb(main):001:0> `groups`
=> "scott testdev\n"
irb(main):002:0>

* Now, when I run the ruby interpreter as root and attempt to switch to
user 502, I get the following output:

[root@localhost ~]# irb
irb(main):001:0> `groups`
=> "root bin daemon sys adm disk wheel\n"
irb(main):002:0> Process::GID.change_privilege(502)
=> 502
irb(main):003:0> Process::UID.change_privilege(502)
=> 502
irb(main):004:0> `groups`
=> "scott root bin daemon sys adm disk wheel\n"
irb(main):005:0>

* Notice here how the process has correctly assumed the privileges of
group 'scott', but is missing the 'testdev' group.

* Also, why does the process still have all the root user group
privileges too? Should they not have been revoked?

Note: if I do the same thing using shell commands I get the correct
result as expected:

[root@localhost ~]# groups
root bin daemon sys adm disk wheel
[root@localhost ~]# su - scott
[scott@localhost ~]$ groups
scott testdev
[scott@localhost ~]$

Can anyone please explain why this doesn't work as expected? How can I
achieve this desired outcome with ruby?

Thanks
Scott

--
Posted via http://www.ruby-....
2 Answers

Brian Candler

6/3/2007 7:00:00 PM

0

On Sun, Jun 03, 2007 at 11:28:59PM +0900, Scott McNab wrote:
> irb(main):001:0> `groups`
> => "root bin daemon sys adm disk wheel\n"
> irb(main):002:0> Process::GID.change_privilege(502)
> => 502
> irb(main):003:0> Process::UID.change_privilege(502)
> => 502
> irb(main):004:0> `groups`
> => "scott root bin daemon sys adm disk wheel\n"
> irb(main):005:0>
>
> * Notice here how the process has correctly assumed the privileges of
> group 'scott', but is missing the 'testdev' group.

Try using Process.initgroups

> Note: if I do the same thing using shell commands I get the correct
> result as expected:
>
> [root@localhost ~]# groups
> root bin daemon sys adm disk wheel
> [root@localhost ~]# su - scott
> [scott@localhost ~]$ groups
> scott testdev
> [scott@localhost ~]$

If you look at the source code to su, you'll probably find it calls
initgroups() somewhere.

Regards,

Brian.

Scott McNab

6/5/2007 12:31:00 PM

0

Brian Candler wrote:
> Try using Process.initgroups

Thanks Brian that fixed it!

> If you look at the source code to su, you'll probably find it calls
> initgroups() somewhere.

Actually you were spot on. The source in su.c (in the coreutils package)
does exactly that:

/* Become the user and group(s) specified by PW. */

static void
change_identity (const struct passwd *pw)
{
#ifdef HAVE_INITGROUPS
errno = 0;
if (initgroups (pw->pw_name, pw->pw_gid) == -1)
error (EXIT_FAIL, errno, _("cannot set groups"));
endgrent ();
#endif
if (setgid (pw->pw_gid))
error (EXIT_FAIL, errno, _("cannot set group id"));
if (setuid (pw->pw_uid))
error (EXIT_FAIL, errno, _("cannot set user id"));
}

Now, all we need is to get this fix incorporated into the Mongrel gem
source tree...

Regards
Scott

--
Posted via http://www.ruby-....