[Twisted-Python] Aplication process uid/gid

Jean-Paul Calderone exarkun at divmod.com
Mon Apr 28 06:46:57 MDT 2008


On Mon, 28 Apr 2008 09:38:00 -0300, Miguel Filho <miguel.filho at gmail.com> wrote:
>Hello list,
>
>The code:
>===============================
> [snip]
>application = service.Application('apolicy', uid=user[2], gid=user[3])
>serviceCollection = service.IServiceCollection(application)
>
>address, port = config.get("main", "listen").split(":")
>
>internet.TCPServer(int(port), ACLPolicyDaemonFactory(),
>interface=address).setServiceParent(serviceCollection)
>===============================
>
>I'm using twistd to start my daemon, the process starts normally and
>the owner is the user nobody.
>
># ps uaxf | grep nobody
>nobody   29052  0.1  0.6  13140  6440 ?        S    09:11   0:01
>/usr/bin/python /usr/bin/twistd -y
>/usr/lib/python2.4/site-packages/apolicy/server.py -q --logfile
>/var/log/twistd.log --pidfile=/var/run/twistd.pid
>
>My class ACLPolicyDaemonFactory() tries to write a file to test if the
>path given to my application is writable and has no problems, but the
>file is created as root. What is the point where the process is
>already running as nobody?

Privileges aren't shed immediately when Application is created.  They're
shed after privilegedStartService and before startService.  You should
delay any potentially sensitive operations until startService (ie, don't
do them in ACLPolicyDaemonFactory.__init__ which is when I assume you
meant you were opening that file).

Jean-Paul




More information about the Twisted-Python mailing list