[Mongrel] mongrel service security needs on Win2k3

Luis Lavena luislavena at gmail.com
Tue Jun 12 11:52:26 EDT 2007


On 6/12/07, Matthew McKnight <matt.mcknight at gmail.com> wrote:
> Hello all,
>
> I have mongrel service 0.3.2 running on Win2003 64-bit, special thanks to
> Luis for getting that running. You are a great asset!
>

Good to know its working ;-)

> I am trying to figure out exactly what rights are needed by the account that
> is running the service. It works if I give it a domain account with local
> admin privileges, but it doesn't work if I give it a domain account without
> local admin.  I was tracing things and it looked like it was checking for
> access to the system32 directory and the ntdll.dll file. I gave the account
> modify access to system32, but no dice. No errors in the mongrel_service.log
> or servicefb.log.
>

This is often called LUA Bug [1]

> My security guy is wanting me to trace through the code to see what it's
> touching, he's not going to let the service account run with local admin
> privileges for long.
>

I will suggest you take a look at the link I just passed as reference
([1]) and also perform some testing with psexec [2] with -l option
(privileges stripped mode).

do "mongrel_rails start" in the new console window. If everything
worked, then perform the same with "mongrel_service" in console mode,
which will emulate running as service, perform the same actions, and
log everything in expected log files (please, clear them first).

I guess I'm starting to repeat my self too often on this topic, so
something could be documented and added to DOCs (patches with this are
welcome ;-)

[3] and [4] are useful threads that contains information about
tracking down the problem.

> For reference, I can run the thing under srvany.exe without local admin
> rights, and it runs just fine. But that solution is unacceptable because it
> doesn't kill the processes, making me do my own imitation of mongrel service
> and write down the process ids of the processes as they start up, so I know
> which service goes with which process when I try to have an orderly
> shutdown. I only have about 8 mongrels running on the server, but it's an 8
> core beasty, so I am looking to add more once I get this straight.
>

mongrel_service isn't doing anything out of usual, even getting
information about their "host" process is safer inside Local Service
account (not even admin).

I know the srvany pain. That's why I created mongrel_service. Orphaned
process are like FastCGI ones, which don't seems quite right, even on
a Windows environment ;-)

Hope this information helps,

[1] http://blogs.msdn.com/aaron_margosis/archive/2006/02/06/525455.aspx
[2] http://www.microsoft.com/technet/sysinternals/utilities/psexec.mspx
[3] http://rubyforge.org/pipermail/mongrel-users/2007-March/003364.html
[4] http://rubyforge.org/pipermail/mongrel-users/2007-February/003006.html

-- 
Luis Lavena
Multimedia systems
-
Leaders are made, they are not born. They are made by hard effort,
which is the price which all of us must pay to achieve any goal that
is worthwhile.
Vince Lombardi


More information about the Mongrel-users mailing list