# HG changeset patch # User Julien Cristau # Date 1315314966 -7200 # Node ID c709f6c457ffd4811b603ac41c04c2d16f94cb3e # Parent 31210a2ead6316c3a115f970f4cf82916959d446 Drop privileges properly (closes #1910561) Use new function from logilab.common.daemon to switch to non-privileged uid and gid. diff -r 31210a2ead63 -r c709f6c457ff __pkginfo__.py --- a/__pkginfo__.py Tue Sep 06 15:11:35 2011 +0200 +++ b/__pkginfo__.py Tue Sep 06 15:16:06 2011 +0200 @@ -40,7 +40,7 @@ ] __depends__ = { - 'logilab-common': '>= 0.55.2', + 'logilab-common': '>= 0.56.2', 'logilab-mtconverter': '>= 0.8.0', 'rql': '>= 0.28.0', 'yams': '>= 0.33.0', diff -r 31210a2ead63 -r c709f6c457ff debian/control --- a/debian/control Tue Sep 06 15:11:35 2011 +0200 +++ b/debian/control Tue Sep 06 15:16:06 2011 +0200 @@ -35,7 +35,7 @@ Conflicts: cubicweb-multisources Replaces: cubicweb-multisources Provides: cubicweb-multisources -Depends: ${misc:Depends}, ${python:Depends}, cubicweb-common (= ${source:Version}), cubicweb-ctl (= ${source:Version}), python-logilab-database (>= 1.5.0), cubicweb-postgresql-support | cubicweb-mysql-support | python-pysqlite2 +Depends: ${misc:Depends}, ${python:Depends}, cubicweb-common (= ${source:Version}), cubicweb-ctl (= ${source:Version}), python-logilab-database (>= 1.5.0), cubicweb-postgresql-support | cubicweb-mysql-support | python-pysqlite2, python-logilab-common (>= 0.56.2) Recommends: pyro (<< 4.0.0), cubicweb-documentation (= ${source:Version}) Description: server part of the CubicWeb framework CubicWeb is a semantic web application framework. @@ -70,7 +70,7 @@ Architecture: all XB-Python-Version: ${python:Versions} Provides: cubicweb-web-frontend -Depends: ${misc:Depends}, ${python:Depends}, cubicweb-web (= ${source:Version}), cubicweb-ctl (= ${source:Version}), python-twisted-web +Depends: ${misc:Depends}, ${python:Depends}, cubicweb-web (= ${source:Version}), cubicweb-ctl (= ${source:Version}), python-twisted-web, python-logilab-common (>= 0.56.2) Recommends: pyro (<< 4.0.0), cubicweb-documentation (= ${source:Version}) Description: twisted-based web interface for the CubicWeb framework CubicWeb is a semantic web application framework. diff -r 31210a2ead63 -r c709f6c457ff etwist/server.py --- a/etwist/server.py Tue Sep 06 15:11:35 2011 +0200 +++ b/etwist/server.py Tue Sep 06 15:16:06 2011 +0200 @@ -25,7 +25,6 @@ import os import os.path as osp import select -import errno import traceback import threading import re @@ -523,12 +522,8 @@ return whichproc # parent process root_resource.init_publisher() # before changing uid if config['uid'] is not None: - try: - uid = int(config['uid']) - except ValueError: - from pwd import getpwnam - uid = getpwnam(config['uid']).pw_uid - os.setuid(uid) + from logilab.common.daemon import setugid + setugid(config['uid']) root_resource.start_service() LOGGER.info('instance started on %s', root_resource.base_url) # avoid annoying warnign if not in Main Thread diff -r 31210a2ead63 -r c709f6c457ff server/serverctl.py --- a/server/serverctl.py Tue Sep 06 15:11:35 2011 +0200 +++ b/server/serverctl.py Tue Sep 06 15:16:06 2011 +0200 @@ -651,7 +651,7 @@ ) def run(self, args): - from logilab.common.daemon import daemonize + from logilab.common.daemon import daemonize, setugid from cubicweb.cwctl import init_cmdline_log_threshold from cubicweb.server.server import RepositoryServer appid = args[0] @@ -675,12 +675,7 @@ return uid = config['uid'] if uid is not None: - try: - uid = int(uid) - except ValueError: - from pwd import getpwnam - uid = getpwnam(uid).pw_uid - os.setuid(uid) + setugid(uid) server.install_sig_handlers() server.connect(config['host'], 0) server.run()