[Mongrel] Bug in Configurator.change_privilege?

Jeremy Burks jeremy.burks at gmail.com
Mon Jul 30 16:10:26 EDT 2007


I have run across this same problem. Is there any chance this patch
will get committed?

Thanks.
- jeremy

On 6/4/07, Scott McNab <scott.mcnab at gmail.com> wrote:
> Hello.
>
> I have discovered that mongrel does not correctly take on all the
> groups of the requested user/group combination. It seems that while
> the specified user and group is correctly activated, all the other
> groups that are associated with this user are not enabled and the
> group permissions remain the same as the caller (i.e. root).
>
> This problem (and solution) is discussed in the Ruby Forum:
>
>   http://www.ruby-forum.com/topic/110492
>
> It seems that Process.initgroups needs to be called in order for the
> user's group permissions to be properly activated.
>
> I have a fix that involves making a slight addition to
> mongrel-1.0.1/lib/mongrel/configurator.rb as follows:
>
> --- configurator.rb.orig        2007-05-28 04:22:11.000000000 -0400
> +++ configurator.rb     2007-05-28 04:11:02.000000000 -0400
> @@ -55,6 +55,11 @@
>      # Change privilege of the process to specified user and group.
>      def change_privilege(user, group)
>        begin
> +        if group && user
> +          log "Initialising groups for {#user}:{#group}."
> +          Process.initgroups(user,Etc.getgrnam(group).gid)
> +        end
> +
>          if group
>            log "Changing group to #{group}."
>            Process::GID.change_privilege(Etc.getgrnam(group).gid)
>
> To confirm this is an appropriate fix, I took a look at the source for
> the linux coreutils 'su' command, which is very similar:
>
> /* Become the user and group(s) specified by PW.  */
>
> static void
> change_identity (const struct passwd *pw)
> {
> #ifdef HAVE_INITGROUPS
>   errno = 0;
>   if (initgroups (pw->pw_name, pw->pw_gid) == -1)
>     error (EXIT_FAIL, errno, _("cannot set groups"));
>   endgrent ();
> #endif
>   if (setgid (pw->pw_gid))
>     error (EXIT_FAIL, errno, _("cannot set group id"));
>   if (setuid (pw->pw_uid))
>     error (EXIT_FAIL, errno, _("cannot set user id"));
> }
>
> This patch seems to solve the problem for me - Can someone please
> review this for possible inclusion in the main mongrel source tree?
>
> Thanks,
> Scott
> _______________________________________________
> Mongrel-users mailing list
> Mongrel-users at rubyforge.org
> http://rubyforge.org/mailman/listinfo/mongrel-users
>


More information about the Mongrel-users mailing list