On Wed, Feb 13, 2013 at 09:23:42PM -0800, Jorge Gallegos wrote: > On Tue, Mar 06, 2012 at 04:23:25PM +0000, Sigurd Høgsbro wrote: > > Ran into a file permission problem whilst trying to setup Trac (0.12.3) on a > > Linux box (Ubuntu Lucid 10.04) with TracGit plugin to run under uWSGI > > (1.0.4), > > with the Git repo's managed by Gitolite. Gitolite runs under git:git, uWSGI/ > > Trac runs under trac:trac. The trac user is a member of the git group, and > > I've > > verified that I can read the Git control-files as the trac user (after a > > 'su - > > trac'). > > > > When running the Trac code under uWSGI, TracGit complains that it cannot > > read > > the repo control files. Running the same code under tracd (in HTTP mode), it > > works. I added some trace in PyGit.py, and found that when run under uWSGI, > > the > > uid/gid is set correctly but the supplementary group list is empty. I > > eventually found this was caused by the call in utils.c:577 to setgroups(0, > > NULL), after the call to setgid(). > > > > After some Googling I found the correct solution is calling initgroups(3) > > instead of calling setgroups(2) - see links below for details. > > > > • [1]http://www.gnu.org/software/libc/manual/html_node/Setting-Groups.html > > • [2]http://stackoverflow.com/questions/1489579/linux-id-no-squash-root > > • [3]http://www.palecrow.com/chroot-jail-paper.html > > • > > [4]http://code.google.com/p/modwsgi/source/browse/mod_wsgi/mod_wsgi.c#10197 > > > > Note: There are calls to setgroups() in both utils.c and emperor.c. I only > > tested this in utils.c. > > So I am not sure why this bug didn't get more attention. Currently I am > hitting this same bug (well, not me, but a fedora user), check this > comment: > > https://bugzilla.redhat.com/show_bug.cgi?id=901936#c2 >
To be clear, this appears to be when using emperor in tyrant mode.
> tl;dr uwsgi is unable to properly drop privileges when in emperor mode.
> This is with uwsgi 1.2.6 but I just downloaded 1.4.5 and sure enough the
> same code still exists and, arguably, the bug is there. Is this really
> the issue or am I missing something here? a really simple patch was
> provided by Sigurd which I can use to test in a bit, but wondering if
> anyone else has hit this same bug.
>
> >
> > Testing was done on my Ubuntu 10.04 box, and results in the correct
> > supplementary groups being available (and TracGit works).
> >
> > Regards,
> >
> > Sigurd
> >
> > diff -p:
> > *** utils.c 2012-02-13 18:26:37.000000000 +0100
> > --- ../utils.c 2012-03-06 17:09:05.222275998 +0100
> > *************** void uwsgi_as_root() {
> > *** 573,580 ****
> > uwsgi_error("setgid()");
> > exit(1);
> > }
> > ! if (setgroups(0, NULL)) {
> > ! uwsgi_error("setgroups()");
> > exit(1);
> > }
> > }
> > --- 573,580 ----
> > uwsgi_error("setgid()");
> > exit(1);
> > }
> > ! if (initgroups(uwsgi.uidname, uwsgi.gid)) {
> > ! uwsgi_error("initgroups()");
> > exit(1);
> > }
> > }
> >
> >
> > References:
> >
> > [1] http://www.gnu.org/software/libc/manual/html_node/Setting-Groups.html
> > [2] http://stackoverflow.com/questions/1489579/linux-id-no-squash-root
> > [3] http://www.palecrow.com/chroot-jail-paper.html
> > [4] http://code.google.com/p/modwsgi/source/browse/mod_wsgi/mod_wsgi.c#10197
>
> > _______________________________________________
> > uWSGI mailing list
> > [email protected]
> > http://lists.unbit.it/cgi-bin/mailman/listinfo/uwsgi
>
pgp1JkabvtHYq.pgp
Description: PGP signature
_______________________________________________ uWSGI mailing list [email protected] http://lists.unbit.it/cgi-bin/mailman/listinfo/uwsgi
