[Mongrel] Bug in Configurator.change_privilege?

Scott McNab scott.mcnab at gmail.com
Mon Jun 4 09:01:54 EDT 2007


I have discovered that mongrel does not correctly take on all the
groups of the requested user/group combination. It seems that while
the specified user and group is correctly activated, all the other
groups that are associated with this user are not enabled and the
group permissions remain the same as the caller (i.e. root).

This problem (and solution) is discussed in the Ruby Forum:


It seems that Process.initgroups needs to be called in order for the
user's group permissions to be properly activated.

I have a fix that involves making a slight addition to
mongrel-1.0.1/lib/mongrel/configurator.rb as follows:

--- configurator.rb.orig        2007-05-28 04:22:11.000000000 -0400
+++ configurator.rb     2007-05-28 04:11:02.000000000 -0400
@@ -55,6 +55,11 @@
     # Change privilege of the process to specified user and group.
     def change_privilege(user, group)
+        if group && user
+          log "Initialising groups for {#user}:{#group}."
+          Process.initgroups(user,Etc.getgrnam(group).gid)
+        end
         if group
           log "Changing group to #{group}."

To confirm this is an appropriate fix, I took a look at the source for
the linux coreutils 'su' command, which is very similar:

/* Become the user and group(s) specified by PW.  */

static void
change_identity (const struct passwd *pw)
  errno = 0;
  if (initgroups (pw->pw_name, pw->pw_gid) == -1)
    error (EXIT_FAIL, errno, _("cannot set groups"));
  endgrent ();
  if (setgid (pw->pw_gid))
    error (EXIT_FAIL, errno, _("cannot set group id"));
  if (setuid (pw->pw_uid))
    error (EXIT_FAIL, errno, _("cannot set user id"));

This patch seems to solve the problem for me - Can someone please
review this for possible inclusion in the main mongrel source tree?


More information about the Mongrel-users mailing list