[Twisted-Python] twistd --uid and --logfile

twisted-web at udmvt.ru twisted-web at udmvt.ru
Thu Aug 19 02:55:23 EDT 2010


On Wed, Aug 18, 2010 at 04:35:29PM +0100, Phil Mayers wrote:
> On 18/08/10 10:25, twisted-web at udmvt.ru wrote:
> 
> > I think --uid option is too dangerous.
> > sudo or su or setuidgid (from http://cr.yp.to/daemontools.html) is more
> > appropriate for changing uids.
> 
> In all cases? I think not.
There is no option to tell the code when to setuid(), right?
So, is the place, where it happens now, appropriate for all of your cases?
I don't think so. And it will never be appropriate for all cases,
there is no one correct place where to do setuid, that heavily depends
on every particular case.

--uid is not that simple and magical solution to the "all cases", believe me.
twistd binary is not designed for "all cases" either.
If you have your special case, design outside of twistd binary, it is only
a helper to provide twisted power to command line.

> 
> > It will always be hard to design application, that opens some files or
> > sockets and only then changes it's uids/gids.
> 
> What about a daemon that needs to listen on ports <1024?
Use code, that opens a listening socket, binds it and then executes setuidgid
program that runs your particular program.
Clear and simple approach, separation, that is clearly visible outside of code.
Twisted is not ready for such simplification, it can't use pre-opened sockets,
at least without a hack.

> 
> Sure it's hard and needs care. twistd may be doing it wrong at the 
> moment. But it should be quite possible to fix that. "sudo" and "su" 
> don't do anything magical. Nor does "apache", or any one of the hundreds 
> of daemons that open sockets then setuid.
Ports < 1024 is not a newbie task. Professional programmers very rarely
able to design secure setuid code in one attempt. Even experienced
people have to redesign their setuid code several times and nobody blames them.

sudo and su do very obscure and magic things, they are not only used to
change uid by request of root, but they also have setuid bit set on their binary,
so they have to do a lot of voodoo to protect themselves from non-root users.

setuidgid is not setuid binary, so it only does one task at a time and it
separates this task from your application's task. So the user, the administrator
and the programmer can be sure, that there is nothing in application, that
can break security.

--uid option semantics is not trivial, not every user understands it's risks.
I'm afraid, not every twisted developer understand it's risks.
This is very bad option.
It is unclear, when setuid happens, or what is being done before setuid() happens.
Help only says "The uid to run as.", so it looks simple and without caveats,
but it is not simple as long as you have security concerns.

To twisted developers:
Don't encourage people to design insecure code, please.
Don't make others blame twisted for insecurity.
Just don't make twisted involved into any security issues.
Replace that option with a reminder on how to change uids properly.
It is very dangerous to have such option, especially if it is not test covered.

-- 
Alexey



More information about the Twisted-Python mailing list