[Rack] Baron Security
Michael C. Toren
mct at toren.net
Tue Jan 22 20:01:01 UTC 2013
On Tue, Jan 22, 2013 at 11:40:13AM -0800, Jonathan Lassoff wrote:
> I think that user "baron" should have access to this by being in the
> "dialout" group.
>
> `--> id baron
> uid=31516(baron) gid=100(users) groups=100(users),20(dialout),124(barons)
>
> `--> ls -l /dev/ttyS5
> crw-rw---- 1 root dialout 4, 69 Jan 22 11:37 /dev/ttyS5
The baron process isn't in the dialout group, though. upstart needs to
call setgroups() to add it to the supplementary groups before dropping root
privileges. Unfortunately, it looks like upstart lacks that capability:
https://bugs.launchpad.net/upstart/+bug/812870
(We could write a silly little C program to run as root that would call
setgid(), setgroups(), and setuid() before exec()ing baron, but I suspect
there's some standard-ish utility that does this already which we could
utilize.)
-mct
More information about the Rack
mailing list