[Rack] Baron Security
Michael C. Toren
mct at toren.net
Tue Jan 22 20:23:28 UTC 2013
On Tue, Jan 22, 2013 at 12:01:01PM -0800, Michael C. Toren wrote:
> (We could write a silly little C program to run as root that would call
> setgid(), setgroups(), and setuid() before exec()ing baron, but I suspect
> there's some standard-ish utility that does this already which we could
> utilize.)
I changed /etc/init/baron.conf to:
# Use su(1) to set our desired UID/GID rather than upstart's setuid/setgid
# stanzas, because upstart only sets the primary groups, ignoring all of the
# supplementary groups. We need the baron process to be a member of both the
# barons group to read the codes.txt file, the dialout group to read from the
# TTY.
setuid root
exec su -c 'exec /usr/local/share/baron/noisebridge-baron/baron.py --codefile /usr/local/share/baron/codes.txt --port /dev/ttyS5 --logfile /usr/local/share/baron/baron.log' baron
This works. But because su does a fork() before exec(), there are two
processes in the process group:
baron 11460 0.3 0.0 70824 2016 ? Ss 12:16 0:00 su -c exec /usr/local/share/baron/noisebridge-baron/baron.py --codefile /usr/local/share/baron/codes.txt --port /dev/ttyS5 --logfile /usr/local/share/baron/baron.log baron
baron 11467 6.3 0.4 46040 9600 ? S 12:16 0:00 \_ /usr/bin/python /usr/local/share/baron/noisebridge-baron/baron.py --codefile /usr/local/share/baron/codes.txt --port /dev/ttyS5 --logfile /usr/local/share/baron/baron.log
There doesn't seem to be any negative impact of this, though, and upstart
is still able to stop/restart the service just fine.
-mct
More information about the Rack
mailing list