[Twisted-Python] twistd --uid and --logfile
Phil Mayers
p.mayers at imperial.ac.uk
Thu Aug 19 00:22:37 MDT 2010
On 08/18/2010 05:01 PM, exarkun at twistedmatrix.com wrote:
> On 03:35 pm, p.mayers at imperial.ac.uk wrote:
>> On 18/08/10 10:25, twisted-web at udmvt.ru wrote:
>>> I think --uid option is too dangerous.
>>> sudo or su or setuidgid (from http://cr.yp.to/daemontools.html) is
>>> more
>>> appropriate for changing uids.
>>
>> In all cases? I think not.
>
> Making the directory world writeable is certainly insane and dangerous.
> But in the case where the directory is only writeable by the user the
> daemon is going to run as, and access to that user is restricted, I
> don't see a problem.
I'm not sure which message you're replying to here. I don't disagree
with you.
I was stating that I didn't think external tools such as "su" were *in
all cases* appropriate for changing uid.
>> What about a daemon that needs to listen on ports<1024?
>
> For this case, I would very strongly recommend authbind instead. And I
I'd never heard of authbind. It has some unfortunate limitations (ipv4
only, no ports 512-1023) but is an interesting approach.
I wonder whether one could do something with SELinux today? (As an
aside, one of the reasons to *not* use twistd is you can't separately
label a .tac file - if of course you want to use SELinux)
> think this covers 99% of cases where you would otherwise need to start
> up as root. For the remaining small number of cases, being able to
> start as root and then shed privileges is definitely more convenient
> than other approaches (although quite possibly inferior to them in all
> other regards).
Sure; that's what I was getting at.
More information about the Twisted-Python
mailing list