Hi, many daemons allow an argument "-u uid" which makes the program to run=
=20
under that user. Of course this can be done just by root or privileged user=
s.
It's commonly used in init scripts. These are started by init process runni=
ng=20
as root and start services running under other user.
However it seems that ruby binary doesn't implement such option. Is there a=
ny=20
way to get it?
If not I should use "su" command and so.
Thanks.
=2D-=20
I=C3=B1aki Baz Castillo <ibc@aliax.net>
|
|
0
|
|
|
|
Reply
|
 ibc (607)
|
12/12/2009 3:14:03 PM |
|
On Sat, Dec 12, 2009 at 10:14 AM, I=C3=B1aki Baz Castillo <ibc@aliax.net> w=
rote:
> Hi, many daemons allow an argument "-u uid" which makes the program to ru=
n
> under that user. Of course this can be done just by root or privileged us=
ers.
>
> It's commonly used in init scripts. These are started by init process run=
ning
> as root and start services running under other user.
>
> However it seems that ruby binary doesn't implement such option. Is there=
any
> way to get it?
> If not I should use "su" command and so.
>
Here's a snippet from our unicorn config that changes the user for
workers from root to deploy. You can probably use something from it.
##
# Unicorn master is started as root, which is fine, but let's
# drop the workers to deploy:deploy
uid, gid =3D Process.euid, Process.egid
user, group =3D 'deploy', 'deploy'
target_uid =3D Etc.getpwnam(user).uid
target_gid =3D Etc.getgrnam(group).gid
worker.tmp.chown(target_uid, target_gid)
if uid !=3D target_uid || gid !=3D target_gid
Process.initgroups(user, target_gid)
Process::GID.change_privilege(target_gid)
Process::UID.change_privilege(target_uid)
end
Best regards,
Michael Guterl
|
|
|
0
|
|
|
|
Reply
|
 Michael
|
12/12/2009 3:20:01 PM
|
|
El S=C3=A1bado, 12 de Diciembre de 2009, Michael Guterl escribi=C3=B3:
> On Sat, Dec 12, 2009 at 10:14 AM, I=C3=B1aki Baz Castillo <ibc@aliax.net>=
wrote:
> > Hi, many daemons allow an argument "-u uid" which makes the program to
> > run under that user. Of course this can be done just by root or
> > privileged users.
> >
> > It's commonly used in init scripts. These are started by init process
> > running as root and start services running under other user.
> >
> > However it seems that ruby binary doesn't implement such option. Is the=
re
> > any way to get it?
> > If not I should use "su" command and so.
>=20
> Here's a snippet from our unicorn config that changes the user for
> workers from root to deploy. You can probably use something from it.
>=20
> ##
> # Unicorn master is started as root, which is fine, but let's
> # drop the workers to deploy:deploy
>=20
> uid, gid =3D Process.euid, Process.egid
> user, group =3D 'deploy', 'deploy'
> target_uid =3D Etc.getpwnam(user).uid
> target_gid =3D Etc.getgrnam(group).gid
> worker.tmp.chown(target_uid, target_gid)
> if uid !=3D target_uid || gid !=3D target_gid
> Process.initgroups(user, target_gid)
> Process::GID.change_privilege(target_gid)
> Process::UID.change_privilege(target_uid)
> end
Thanks, I'll try it.
=2D-=20
I=C3=B1aki Baz Castillo <ibc@aliax.net>
|
|
|
0
|
|
|
|
Reply
|
utf
|
12/12/2009 3:33:52 PM
|
|
Hi,
Am Sonntag, 13. Dez 2009, 00:14:03 +0900 schrieb I=F1aki Baz Castillo:
> Hi, many daemons allow an argument "-u uid" which makes the program to ru=
n=20
> under that user. Of course this can be done just by root or privileged us=
ers.
>=20
> It's commonly used in init scripts. These are started by init process run=
ning=20
> as root and start services running under other user.
>=20
> However it seems that ruby binary doesn't implement such option. Is there=
any=20
> way to get it?
> If not I should use "su" command and so.
Maybe you like to copy that:
http://bertram-scharpf.homelinux.com:8808/doc_root/bs-ruby-3.0/rdoc/class=
es/Kernel.src/M000100.html
Bertram
--=20
Bertram Scharpf
Stuttgart, Deutschland/Germany
*
Discover String#notempty? at <http://raa.ruby-lang.org/project/step>.
|
|
|
0
|
|
|
|
Reply
|
Bertram
|
12/12/2009 3:34:45 PM
|
|
El S=E1bado, 12 de Diciembre de 2009, Bertram Scharpf escribi=F3:
> Hi,
>=20
> Am Sonntag, 13. Dez 2009, 00:14:03 +0900 schrieb I=F1aki Baz Castillo:
> > Hi, many daemons allow an argument "-u uid" which makes the program to
> > run under that user. Of course this can be done just by root or
> > privileged users.
> >
> > It's commonly used in init scripts. These are started by init process
> > running as root and start services running under other user.
> >
> > However it seems that ruby binary doesn't implement such option. Is the=
re
> > any way to get it?
> > If not I should use "su" command and so.
>=20
> Maybe you like to copy that:
>=20
> =20
> http://bertram-scharpf.homelinux.com:8808/doc_root/bs-ruby-3.0/rdoc/clas=
se
> s/Kernel.src/M000100.html
Really annoying. however I've found an issue with group permissions when do=
ing=20
Kernel#su. I must to investigate it a bit more.
Thanks a lot.
=2D-=20
I=F1aki Baz Castillo <ibc@aliax.net>
|
|
|
0
|
|
|
|
Reply
|
iso
|
12/12/2009 4:22:32 PM
|
|
El S=E1bado, 12 de Diciembre de 2009, I=F1aki Baz Castillo escribi=F3:
> > Maybe you like to copy that:
> >=20
> > http://bertram-scharpf.homelinux.com:8808/doc_root/bs-ruby-3.0/rdoc/cla=
ss
> >e s/Kernel.src/M000100.html
>=20
> Really annoying. however I've found an issue with group permissions when
> doing Kernel#su. I must to investigate it a bit more.
Let me explain it:
=2D My home "/home/ibc" has these owner/group and permissions:
drwxr-x--- ibc ibc_grp /home/ibc/
=2D Other user "alice" belongs to group "ibc_grp" group so "alice" user can=
read=20
into /home/ibc:
~# whoami
alice
~# cd /home/ibc
~# echo $?
0
=20
=2D Now I start a irb session with root user, load "fileutils" and your=20
"kernel#su" Ruby file.
=2D I do "su" to become "alice:alice" and try to enter in /home/ibc, but it=
=20
fails:
irb> su "alice", "alice" do Dir.chdir("/home/ibc") ; end
(irb):9:in `chdir': Permission denied - /home/ibc (Errno::EACCES)
from (irb):9:in `block in irb_binding'
from /PATH_TO/kernel.rb:7:in `block in su'
=2D It also doesn't work even setting "root" as group (same error).
kernel.rb:
=2D------------
module Kernel
def su u, g =3D nil
if block_given? then
pid =3D fork {
su u, g
yield <--- line 7
}
_, status =3D Process.waitpid2 pid
return status
end
uid =3D case u
when Fixnum then
[...]
=2D------------
Is it an issue in your code or in fileutils gem?
Thanks a lot.
=2D-=20
I=F1aki Baz Castillo <ibc@aliax.net>
|
|
|
0
|
|
|
|
Reply
|
iso
|
12/12/2009 5:06:43 PM
|
|
El S=E1bado, 12 de Diciembre de 2009, I=F1aki Baz Castillo escribi=F3:
> - My home "/home/ibc" has these owner/group and permissions:
>=20
> drwxr-x--- ibc ibc_grp /home/ibc/
>=20
> - Other user "alice" belongs to group "ibc_grp" group so "alice" user can
> read into /home/ibc:
>=20
> ~# whoami
> alice
> ~# cd /home/ibc
> ~# echo $?
> 0
> =20
> - Now I start a irb session with root user, load "fileutils" and your=20
> "kernel#su" Ruby file.
>=20
> - I do "su" to become "alice:alice" and try to enter in /home/ibc, but it=
=20
> fails:
>=20
> irb> su "alice", "alice" do Dir.chdir("/home/ibc") ; end
> (irb):9:in `chdir': Permission denied - /home/ibc (Errno::EACCES)
> from (irb):9:in `block in irb_binding'
> from /PATH_TO/kernel.rb:7:in `block in su'
>=20
> - It also doesn't work even setting "root" as group (same error).
But does work if I do:
irb> su "alice", "ibc_grp" do Dir.chdir("/home/ibc") ; end
Strange? It doesn't behave as when running a shell.
=2D-=20
I=F1aki Baz Castillo <ibc@aliax.net>
|
|
|
0
|
|
|
|
Reply
|
iso
|
12/12/2009 5:12:12 PM
|
|
> kernel.rb:
> -------------
> module Kernel
>
> =A0 def su u, g =3D nil
^^
> =A0 =A0 if block_given? then
> =A0 =A0 =A0 pid =3D fork {
> =A0 =A0 =A0 =A0 su u, g
^^
It looks like a recursion to me. You do not get infinite
recursion just because you do not supply a block in line 6.
Can you tell what is your Kernel#su supposed to do?
Alfred
|
|
|
0
|
|
|
|
Reply
|
aalfred
|
12/14/2009 7:36:50 AM
|
|
Forget about my previous answer. I've copied the original code nd it
is okay ;-). I've tested it on my machine on Fedora 11 and ruby 1.8.6
(2009-08-04 patchlevel 383) and I get right results in all different
scenarios I tested.
What about permission on /home directory?
|
|
|
0
|
|
|
|
Reply
|
aalfred
|
12/14/2009 7:57:13 AM
|
|
El Lunes, 14 de Diciembre de 2009, aalfred escribi=F3:
> Forget about my previous answer. I've copied the original code nd it
> is okay ;-). I've tested it on my machine on Fedora 11 and ruby 1.8.6
> (2009-08-04 patchlevel 383) and I get right results in all different
> scenarios I tested.
>=20
> What about permission on /home directory?
No issues there as using shell and logging as "alice" I can go into /home/i=
bc=20
because alice's group belongs to ibc's group.=20
=2D-=20
I=F1aki Baz Castillo <ibc@aliax.net>
|
|
|
0
|
|
|
|
Reply
|
iso
|
12/14/2009 8:09:00 AM
|
|
It is almost certainly a permission issue. Check it again.
I've tested and it works fine.
Only when directory was unreadable I got same result (error) as you
had.
Just a notice: there is a slight difference in your tests:
> su "alice", "alice" do Dir.chdir("/home/ibc") ; end
> su "alice", "ibc_grp" do Dir.chdir("/home/ibc") ; end
--
Alfred
|
|
|
0
|
|
|
|
Reply
|
aalfred
|
12/14/2009 8:17:47 AM
|
|
El Lunes, 14 de Diciembre de 2009, aalfred escribi=F3:
> It is almost certainly a permission issue. Check it again.
> I've tested and it works fine.
> Only when directory was unreadable I got same result (error) as you
> had.
I've re-checked:
In terminal shell:
=2D--------------
alice@ibc-laptop:/$ whoami
=3D> alice
alice@ibc-laptop:/$ pwd
=3D> /
alice@ibc-laptop:/$ cd /home/ibc
alice@ibc-laptop:/home/ibc$
=2D--------------
In irb using "su":
=2D-------------
root@ibc_laptop:/# whoami
=3D> root
root@ibc_laptop:/# su alice
alice@ibc-laptop:/$ pwd
=3D> /
alice@ibc-laptop:/$ irb -r "/tmp/kernel_su.rb"
irb> require "fileutils"
=3D> true
irb> su("alice", "alice") do Dir.chdir("/home/ibc") ; end
(irb):2:in `chdir': Permission denied - /home/ibc (Errno::EACCES)
from (irb):2:in `block in irb_binding'
from /tmp/kernel.rb:11:in `block in su'
from /tmp/kernel.rb:9:in `fork'
from /tmp/kernel.rb:9:in `su'
from (irb):1:in `irb_binding'
irb> su("alice") do Dir.chdir("/home/ibc") ; end
(irb):3:in `chdir': Permission denied - /home/ibc (Errno::EACCES)
from (irb):3:in `block in irb_binding'
from /tmp/kernel.rb:11:in `block in su'
from /tmp/kernel.rb:9:in `fork'
from /tmp/kernel.rb:9:in `su'
from (irb):1:in `irb_binding'
irb> su("openxdms", "ibc_grp") do Dir.chdir("/home/ibc") ; end
=3D> #<Process::Status: pid 10824 exit 0>
=2D-------------
> Just a notice: there is a slight difference in your tests:
Yes, I cannot access to /home/ibc directory doing:
su "alice", "alice" do Dir.chdir("/home/ibc") ; end
but I can access doing:
su "alice", "ibc_grp" do Dir.chdir("/home/ibc") ; end
Note that "alice" has "alice" has primary group but also belongs to "ibc_gr=
p"=20
group:
~# id alice
uid=3D1003(alice) gid=3D1003(alice) grupos=3D1003(alice),1004(ibc_priv)
~# ll -d /home/ibc
drwxr-x--- 77 ibc ibc_grp 4,0K 2009-12-14 09:50 /home/ibc/
=2D-=20
I=F1aki Baz Castillo <ibc@aliax.net>
|
|
|
0
|
|
|
|
Reply
|
iso
|
12/14/2009 9:02:25 AM
|
|
|
11 Replies
133 Views
(page loaded in 1.242 seconds)
|
Search |
Post Question |
Groups |
Stream |
About |
Register
49111 articles. 
4 followers. 
john.carter
lcl
ngoc
ssk1
greg5327
ropebender
rff_rff
ZalekBloom
no_replies