Reducing Permissions

J

Jon Raphaelson

Is there a way to programtically reduce permissions that doesn't involve
`su -l #{config.name}`? I need the server started as root so that it
can do a chroot, but then I don't want it executing as root, but as a
special user created for the purpose. Also, I'm hoping that there is
something already done that's cross-platform(ish).

Any ideas? Thanks!

Jon
 
J

James Edward Gray II

Is there a way to programtically reduce permissions that doesn't
involve `su -l #{config.name}`? I need the server started as root so
that it can do a chroot, but then I don't want it executing as root,
but as a special user created for the purpose. Also, I'm hoping that
there is something already done that's cross-platform(ish).

Any ideas? Thanks!
Click to expand...

Not really that answer you asked for, but I just use Dir#chroot to
isolate a process like that. Hope that helps.

James Edward Gray II
 
S

Saynatkari

Le 3/4/2005 said:
Is there a way to programtically reduce permissions that doesn't involve
`su -l #{config.name}`? I need the server started as root so that it
can do a chroot, but then I don't want it executing as root, but as a
special user created for the purpose. Also, I'm hoping that there is
something already done that's cross-platform(ish).
Click to expand...

You probably want a wrapper script to do the chroot (Dir#chroot)
and then su to start the application.
Any ideas? Thanks!

Jon
Click to expand...

E

No-one expects the Solaris POSIX implementation!
 
A

Andre Nathan

Jon Raphaelson said:
Is there a way to programtically reduce permissions [...]
Any ideas? Thanks!
Click to expand...

I use this in one of my projects:

def drop_privileges(user='nobody')
pw = Etc::getpwnam(user)
begin
Dir.chdir(pw.dir)
Dir.chroot(pw.dir)
Dir.chdir('/')
rescue => e
puts "Cannot chroot to #{pw.dir}: #{e}"
exit
end

Process::initgroups(user, pw.gid)
begin
Process::Sys::setresgid(pw.gid, pw.gid, pw.gid)
Process::Sys::setresuid(pw.uid, pw.uid, pw.uid)
rescue NotImplementedError
# Try something portable... might not be as secure though
Process::Sys::setegid(pw.gid)
Process::Sys::setgid(pw.gid)
Process::Sys::setuid(pw.uid)
rescue => e
puts "Cannot drop privileges: #{e}"
exit
end
end

Tested on *BSD and linux. At least NetBSD doesn't implement the
setres* system calls (which aren't defined by POSIX), so I added the
rescue for NotImplementedError.

HTH,
Andre
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Java Web Start Permissions 19
Cross-compiling ruby 1
Bare metal. 0
How to go about building a crud app when you are a noob 1
I need help in understanding these files on my phone, Could someone help me understand these files? Urgent help needed. Please help. 1
Working on mobile css menu with plenty of frustration! 2
backup under privileged mode (unix permissions) 2
ODBC permissions 4

Members online

No members online now.
Total: 29 (members: 2, guests: 27)
Robots: 620

Forum statistics

Threads
473,769
Messages
2,569,581
Members
45,056
Latest member
GlycogenSupporthealth

Latest Threads

Top