[Twisted-Python] User manipulation question....
Dmitry S. Makovey
dmitry at athabascau.ca
Wed Jun 8 10:22:29 EDT 2005
On June 7, 2005 02:13 pm, James Y Knight wrote:
> On Jun 7, 2005, at 3:47 PM, Dmitry S. Makovey wrote:
> > 1. run server as privileged user so I can setuid(...) any time I
> > want or
> > 2. run two threads or so so that one thread is superuser-owned
> > and the other one (the one that responds to requests) is
> > non-privileged. First one will handle file operations since it
> > can change uid on-the-flight and come back to normal.
>
> I assume by "thread" you mean "process", because threads in a
> single process can't have different owners.
yes. sorry for confusion.
> > I would prefer to implement second solution but I'm puzzled on
> > where to start. Does twisted provide such capabilities
> > out-of-the-box?
>
> Nope. The way I'd implement it is by having the unprivileged server
> execute a setuid-root binary which handles the file operations on
> behalf of a user. That binary should verify the user authentication
> data the unprivileged server sends it, and then setuid from root to
> the end-user uid, and then perform the requested operations.
I thought about it, but I'm sort of hesitant because it involves extra
execs etc. which might reflect on performance. But so far that's the
only simple options I have. Other one would be to do fork early in
main program and detach from main process leaving pipes for
communication etc. but then I've got another bottleneck - file
operations.
Thanks for idea I'll definitely give it a try I only wish that I could
do it "less expensive way" :)
--
Dmitry Makovey
Web Systems Administrator
Athabasca University
(780) 675-6245
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://twistedmatrix.com/pipermail/twisted-python/attachments/20050608/bcce06ff/attachment.pgp
More information about the Twisted-Python
mailing list