[Rack] Baron Security

[Michael C. Toren]

On Tue, Jan 22, 2013 at 12:01:01PM -0800, Michael C. Toren wrote:
> (We could write a silly little C program to run as root that would call
> setgid(), setgroups(), and setuid() before exec()ing baron, but I suspect
> there's some standard-ish utility that does this already which we could
> utilize.)

I changed /etc/init/baron.conf to:

	# Use su(1) to set our desired UID/GID rather than upstart's setuid/setgid
	# stanzas, because upstart only sets the primary groups, ignoring all of the
	# supplementary groups.  We need the baron process to be a member of both the
	# barons group to read the codes.txt file, the dialout group to read from the
	# TTY.
	setuid root
	exec su -c 'exec /usr/local/share/baron/noisebridge-baron/baron.py --codefile /usr/local/share/baron/codes.txt --port /dev/ttyS5 --logfile /usr/local/share/baron/baron.log' baron

This works. But because su does a fork() before exec(), there are two
processes in the process group:

	baron    11460  0.3  0.0  70824  2016 ?        Ss   12:16   0:00 su -c exec /usr/local/share/baron/noisebridge-baron/baron.py --codefile /usr/local/share/baron/codes.txt --port /dev/ttyS5 --logfile /usr/local/share/baron/baron.log baron
	baron    11467  6.3  0.4  46040  9600 ?        S    12:16   0:00  \_ /usr/bin/python /usr/local/share/baron/noisebridge-baron/baron.py --codefile /usr/local/share/baron/codes.txt --port /dev/ttyS5 --logfile /usr/local/share/baron/baron.log

There doesn't seem to be any negative impact of this, though, and upstart
is still able to stop/restart the service just fine.

-mct