Changing Process#uid while staying with $SAFE=0

[benny]

Dear List,

a have written a daemon that should finally run as a different user than
root. However I need to initially start as root to get DRb running and want
to switch the uid of the process after that.

When I change the uid $SAFE is set to 1. But I need $SAFE to be 0.

Any idea that I might do? (Running FreeBSD btw.)


Regards,

benny

 

[Joel VanderWerf]

Dear List,

a have written a daemon that should finally run as a different user than
root. However I need to initially start as root to get DRb running and want
to switch the uid of the process after that.

When I change the uid $SAFE is set to 1. But I need $SAFE to be 0.

Any idea that I might do? (Running FreeBSD btw.)

Have another thread with $SAFE=0 that exists just to call Process.uid= .
($SAFE is a per-thread variable.) Set this thread up before changing to
$SAFE=1, like this:

# cat safe.rb
Thread.abort_on_exception = true

uid_thread = Thread.new do
# still $SAFE==0
sleep # wait for wakeup
puts "in uid_thread: $SAFE = #{$SAFE}"
Process.uid=1000
end

$SAFE = 1
puts "in main thread: $SAFE = #{$SAFE}"

uid_thread.wakeup
uid_thread.join

puts "uid = #{Process.uid}"

# ruby safe.rb
in main thread: $SAFE = 1
in uid_thread: $SAFE = 0
uid = 1000

 

[benny]

Hi Joel,

I am not sure if it does what I want to:
its a daemon and its gonna create files, execute shell commands etc.
everything should be done being (at the same time) user xyz and having
$SAVE=0 to be able to do everything.
so the change of the uid should happen before the commands are executed
(I guess that would be in the new thread of your example). I only need to be
root once ( to run DRb), after that everything should happen as user xyz
while being not safe.

hopefully thats more clear now

maybe I could do this with calling a new ruby process, i.e.

# cat test.rb
class MyDaemon
def initialize()
@mainscript = IO.popen("/usr/bin/su newuser -c mymainscript.rb", "r+")
end

def run( obj )
@mainscript.puts( obj )
@mainscript.flush
return @mainscript.gets
end
end

$my_daemon = MyDaemon.new
DRb.start_service("druby://127.0.0.1:22227", $my_daemon)
DRb.thread.join

but I am not sure if this will work reliable (mymainscript.rb should be a
persistent process so continously the data should be exchanged between
@mainscript and DRb-daemon). and I find it ugly alsoso if there is a simple
and reliable solution...

benny