[Twisted-Python] twistd --uid and --logfile

Phil Mayers p.mayers at imperial.ac.uk
Thu Aug 19 00:22:37 MDT 2010


On 08/18/2010 05:01 PM, exarkun at twistedmatrix.com wrote:
> On 03:35 pm, p.mayers at imperial.ac.uk wrote:
>> On 18/08/10 10:25, twisted-web at udmvt.ru wrote:
>>> I think --uid option is too dangerous.
>>> sudo or su or setuidgid (from http://cr.yp.to/daemontools.html) is
>>> more
>>> appropriate for changing uids.
>>
>> In all cases? I think not.
>
> Making the directory world writeable is certainly insane and dangerous.
> But in the case where the directory is only writeable by the user the
> daemon is going to run as, and access to that user is restricted, I
> don't see a problem.

I'm not sure which message you're replying to here. I don't disagree 
with you.

I was stating that I didn't think external tools such as "su" were *in 
all cases* appropriate for changing uid.

>> What about a daemon that needs to listen on ports<1024?
>
> For this case, I would very strongly recommend authbind instead.  And I

I'd never heard of authbind. It has some unfortunate limitations (ipv4 
only, no ports 512-1023) but is an interesting approach.

I wonder whether one could do something with SELinux today? (As an 
aside, one of the reasons to *not* use twistd is you can't separately 
label a .tac file - if of course you want to use SELinux)

> think this covers 99% of cases where you would otherwise need to start
> up as root.  For the remaining small number of cases, being able to
> start as root and then shed privileges is definitely more convenient
> than other approaches (although quite possibly inferior to them in all
> other regards).

Sure; that's what I was getting at.




More information about the Twisted-Python mailing list