[Twisted-Python] twistd --uid and --logfile

exarkun at twistedmatrix.com exarkun at twistedmatrix.com
Wed Aug 18 12:01:52 EDT 2010


On 03:35 pm, p.mayers at imperial.ac.uk wrote:
>On 18/08/10 10:25, twisted-web at udmvt.ru wrote:
>>I think --uid option is too dangerous.
>>sudo or su or setuidgid (from http://cr.yp.to/daemontools.html) is 
>>more
>>appropriate for changing uids.
>
>In all cases? I think not.

Making the directory world writeable is certainly insane and dangerous. 
But in the case where the directory is only writeable by the user the 
daemon is going to run as, and access to that user is restricted, I 
don't see a problem.
>
>>It will always be hard to design application, that opens some files or
>>sockets and only then changes it's uids/gids.
>
>What about a daemon that needs to listen on ports <1024?

For this case, I would very strongly recommend authbind instead.  And I 
think this covers 99% of cases where you would otherwise need to start 
up as root.  For the remaining small number of cases, being able to 
start as root and then shed privileges is definitely more convenient 
than other approaches (although quite possibly inferior to them in all 
other regards).

Jean-Paul



More information about the Twisted-Python mailing list