Drop privileges properly (closes #1910561)
Use new function from logilab.common.daemon to switch to non-privileged
uid and gid.
--- a/__pkginfo__.py Tue Sep 06 15:11:35 2011 +0200
+++ b/__pkginfo__.py Tue Sep 06 15:16:06 2011 +0200
@@ -40,7 +40,7 @@
]
__depends__ = {
- 'logilab-common': '>= 0.55.2',
+ 'logilab-common': '>= 0.56.2',
'logilab-mtconverter': '>= 0.8.0',
'rql': '>= 0.28.0',
'yams': '>= 0.33.0',
--- a/debian/control Tue Sep 06 15:11:35 2011 +0200
+++ b/debian/control Tue Sep 06 15:16:06 2011 +0200
@@ -35,7 +35,7 @@
Conflicts: cubicweb-multisources
Replaces: cubicweb-multisources
Provides: cubicweb-multisources
-Depends: ${misc:Depends}, ${python:Depends}, cubicweb-common (= ${source:Version}), cubicweb-ctl (= ${source:Version}), python-logilab-database (>= 1.5.0), cubicweb-postgresql-support | cubicweb-mysql-support | python-pysqlite2
+Depends: ${misc:Depends}, ${python:Depends}, cubicweb-common (= ${source:Version}), cubicweb-ctl (= ${source:Version}), python-logilab-database (>= 1.5.0), cubicweb-postgresql-support | cubicweb-mysql-support | python-pysqlite2, python-logilab-common (>= 0.56.2)
Recommends: pyro (<< 4.0.0), cubicweb-documentation (= ${source:Version})
Description: server part of the CubicWeb framework
CubicWeb is a semantic web application framework.
@@ -70,7 +70,7 @@
Architecture: all
XB-Python-Version: ${python:Versions}
Provides: cubicweb-web-frontend
-Depends: ${misc:Depends}, ${python:Depends}, cubicweb-web (= ${source:Version}), cubicweb-ctl (= ${source:Version}), python-twisted-web
+Depends: ${misc:Depends}, ${python:Depends}, cubicweb-web (= ${source:Version}), cubicweb-ctl (= ${source:Version}), python-twisted-web, python-logilab-common (>= 0.56.2)
Recommends: pyro (<< 4.0.0), cubicweb-documentation (= ${source:Version})
Description: twisted-based web interface for the CubicWeb framework
CubicWeb is a semantic web application framework.
--- a/etwist/server.py Tue Sep 06 15:11:35 2011 +0200
+++ b/etwist/server.py Tue Sep 06 15:16:06 2011 +0200
@@ -25,7 +25,6 @@
import os
import os.path as osp
import select
-import errno
import traceback
import threading
import re
@@ -523,12 +522,8 @@
return whichproc # parent process
root_resource.init_publisher() # before changing uid
if config['uid'] is not None:
- try:
- uid = int(config['uid'])
- except ValueError:
- from pwd import getpwnam
- uid = getpwnam(config['uid']).pw_uid
- os.setuid(uid)
+ from logilab.common.daemon import setugid
+ setugid(config['uid'])
root_resource.start_service()
LOGGER.info('instance started on %s', root_resource.base_url)
# avoid annoying warnign if not in Main Thread
--- a/server/serverctl.py Tue Sep 06 15:11:35 2011 +0200
+++ b/server/serverctl.py Tue Sep 06 15:16:06 2011 +0200
@@ -651,7 +651,7 @@
)
def run(self, args):
- from logilab.common.daemon import daemonize
+ from logilab.common.daemon import daemonize, setugid
from cubicweb.cwctl import init_cmdline_log_threshold
from cubicweb.server.server import RepositoryServer
appid = args[0]
@@ -675,12 +675,7 @@
return
uid = config['uid']
if uid is not None:
- try:
- uid = int(uid)
- except ValueError:
- from pwd import getpwnam
- uid = getpwnam(uid).pw_uid
- os.setuid(uid)
+ setugid(uid)
server.install_sig_handlers()
server.connect(config['host'], 0)
server.run()