[Twisted-Python] twistd --uid and --logfile

twisted-web at udmvt.ru twisted-web at udmvt.ru
Wed Aug 18 05:25:11 EDT 2010


On Tue, Aug 17, 2010 at 05:40:34PM -0000, exarkun at twistedmatrix.com wrote:
> On 11:35 am, zoran.bosnjak at sloveniacontrol.si wrote:
> >I am running twisted application from /etc/init/myapp.conf by exec
> >statement like this:
> >exec /usr/bin/twistd --uid=<id> --gid=<gid> --logfile=/var/log/dir/file
> >
> >The problem is when log file is first created under /var/log/dir (dir 
> >is
> >owned by user id), the owner of the file is 'root', not requested user.
> >As a consequence, the twistd is not able to rotate log files.
> >
> >If the logfile is already created (and chowned) before running twistd,
> >there is no problem. It looks like set uid/gid is called too late 
> >inside
> >twistd. It is suppose to be called before creating a logfile.
> >
> >Is this a bug or am I missing something?
> 
> If <id> or <gid> has write permission on /var/log/dir/ then rotation 
> should work, even if <id> or <gid> does not own the first logfile 
> created.

This is a way to screw up the system.
Consider this is run by the <uid> of the service:
  rm /var/log/dir/logfile
  ln -s /etc/shadow /var/log/dir/logfile

After the service restart the system will lose /etc/shadow.

In this case setuid() is called too late, truly.
I think --uid option is too dangerous.
sudo or su or setuidgid (from http://cr.yp.to/daemontools.html) is more
appropriate for changing uids.
It will always be hard to design application, that opens some files or
sockets and only then changes it's uids/gids.

> 
> Jean-Paul
> 
> _______________________________________________
> Twisted-Python mailing list
> Twisted-Python at twistedmatrix.com
> http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python

-- 
Alexey S.



More information about the Twisted-Python mailing list