[Mongrel] Bug in Configurator.change_privilege?

Scott McNab scott.mcnab at gmail.com
Mon Jun 4 09:01:54 EDT 2007


Hello.

I have discovered that mongrel does not correctly take on all the
groups of the requested user/group combination. It seems that while
the specified user and group is correctly activated, all the other
groups that are associated with this user are not enabled and the
group permissions remain the same as the caller (i.e. root).

This problem (and solution) is discussed in the Ruby Forum:

  http://www.ruby-forum.com/topic/110492

It seems that Process.initgroups needs to be called in order for the
user's group permissions to be properly activated.

I have a fix that involves making a slight addition to
mongrel-1.0.1/lib/mongrel/configurator.rb as follows:

--- configurator.rb.orig        2007-05-28 04:22:11.000000000 -0400
+++ configurator.rb     2007-05-28 04:11:02.000000000 -0400
@@ -55,6 +55,11 @@
     # Change privilege of the process to specified user and group.
     def change_privilege(user, group)
       begin
+        if group && user
+          log "Initialising groups for {#user}:{#group}."
+          Process.initgroups(user,Etc.getgrnam(group).gid)
+        end
+
         if group
           log "Changing group to #{group}."
           Process::GID.change_privilege(Etc.getgrnam(group).gid)

To confirm this is an appropriate fix, I took a look at the source for
the linux coreutils 'su' command, which is very similar:

/* Become the user and group(s) specified by PW.  */

static void
change_identity (const struct passwd *pw)
{
#ifdef HAVE_INITGROUPS
  errno = 0;
  if (initgroups (pw->pw_name, pw->pw_gid) == -1)
    error (EXIT_FAIL, errno, _("cannot set groups"));
  endgrent ();
#endif
  if (setgid (pw->pw_gid))
    error (EXIT_FAIL, errno, _("cannot set group id"));
  if (setuid (pw->pw_uid))
    error (EXIT_FAIL, errno, _("cannot set user id"));
}

This patch seems to solve the problem for me - Can someone please
review this for possible inclusion in the main mongrel source tree?

Thanks,
Scott


More information about the Mongrel-users mailing list