[Twisted-Python] Aplication process uid/gid
Jean-Paul Calderone
exarkun at divmod.com
Mon Apr 28 08:46:57 EDT 2008
On Mon, 28 Apr 2008 09:38:00 -0300, Miguel Filho <miguel.filho at gmail.com> wrote:
>Hello list,
>
>The code:
>===============================
> [snip]
>application = service.Application('apolicy', uid=user[2], gid=user[3])
>serviceCollection = service.IServiceCollection(application)
>
>address, port = config.get("main", "listen").split(":")
>
>internet.TCPServer(int(port), ACLPolicyDaemonFactory(),
>interface=address).setServiceParent(serviceCollection)
>===============================
>
>I'm using twistd to start my daemon, the process starts normally and
>the owner is the user nobody.
>
># ps uaxf | grep nobody
>nobody 29052 0.1 0.6 13140 6440 ? S 09:11 0:01
>/usr/bin/python /usr/bin/twistd -y
>/usr/lib/python2.4/site-packages/apolicy/server.py -q --logfile
>/var/log/twistd.log --pidfile=/var/run/twistd.pid
>
>My class ACLPolicyDaemonFactory() tries to write a file to test if the
>path given to my application is writable and has no problems, but the
>file is created as root. What is the point where the process is
>already running as nobody?
Privileges aren't shed immediately when Application is created. They're
shed after privilegedStartService and before startService. You should
delay any potentially sensitive operations until startService (ie, don't
do them in ACLPolicyDaemonFactory.__init__ which is when I assume you
meant you were opening that file).
Jean-Paul
More information about the Twisted-Python
mailing list