drop privs options added, works in CherryPy

3 files changed, 39 insertions, 3 deletions

diff --git a/src/lib/Bcfg2/Options.py b/src/lib/Bcfg2/Options.py
index a436472e1..4fda79dfb 100644
--- a/src/lib/Bcfg2/Options.py
+++ b/src/lib/Bcfg2/Options.py
@@ -7,6 +7,8 @@ import os
 import re
 import shlex
 import sys
+import grp
+import pwd
 import Bcfg2.Client.Tools
 from Bcfg2.Compat import ConfigParser
 from Bcfg2.version import __version__
@@ -332,6 +334,24 @@ def get_bool(val):
         raise ValueError
 
 
+def get_gid(val):
+    """ This takes a group name or gid and returns the corresponding
+    gid. """
+    try:
+        return int(val)
+    except ValueError:
+        return int(grp.getgrnam(val)[2])
+
+
+def get_uid(val):
+    """ This takes a group name or gid and returns the corresponding
+    gid. """
+    try:
+        return int(val)
+    except ValueError:
+        return int(pwd.getpwnam(val)[2])
+
+
 # Options accepts keyword argument list with the following values:
 #         default:    default value for the option
 #         cmd:        command line switch
@@ -522,6 +542,16 @@ SERVER_BACKEND = \
     Option('Server Backend',
            default='best',
            cf=('server', 'backend'))
+SERVER_DAEMON_USER = \
+    Option('User to run the server daemon as',
+           default=0,
+           cf=('server', 'user'),
+           cook=get_uid)
+SERVER_DAEMON_GROUP = \
+    Option('Group to run the server daemon as',
+           default=0,
+           cf=('server', 'group'),
+           cook=get_gid)
 
 # database options
 DB_ENGINE = \
@@ -1000,7 +1030,9 @@ CLI_COMMON_OPTIONS = dict(configfile=CFILE,
                           syslog=LOGGING_SYSLOG)
 
 DAEMON_COMMON_OPTIONS = dict(daemon=DAEMON,
-                             listen_all=SERVER_LISTEN_ALL)
+                             listen_all=SERVER_LISTEN_ALL,
+                             daemon_uid=SERVER_DAEMON_USER,
+                             daemon_gid=SERVER_DAEMON_GROUP)
 
 SERVER_COMMON_OPTIONS = dict(repo=SERVER_REPOSITORY,
                              plugins=SERVER_PLUGINS,
diff --git a/src/lib/Bcfg2/Server/BuiltinCore.py b/src/lib/Bcfg2/Server/BuiltinCore.py
index 61edd9cf7..b62312828 100644
--- a/src/lib/Bcfg2/Server/BuiltinCore.py
+++ b/src/lib/Bcfg2/Server/BuiltinCore.py
@@ -30,7 +30,9 @@ class Core(BaseCore):
         BaseCore.__init__(self, setup)
         self.server = None
         self.context = \
-            daemon.DaemonContext(pidfile=PidFile(self.setup['daemon']))
+            daemon.DaemonContext(uid=self.setup['daemon_uid'],
+                                 gid=self.setup['daemon_gid'],
+                                 pidfile=PidFile(self.setup['daemon']))
 
     def _dispatch(self, method, args, dispatch_dict):
         """Custom XML-RPC dispatcher for components.
diff --git a/src/lib/Bcfg2/Server/CherryPyCore.py b/src/lib/Bcfg2/Server/CherryPyCore.py
index a840d5ae9..79e939344 100644
--- a/src/lib/Bcfg2/Server/CherryPyCore.py
+++ b/src/lib/Bcfg2/Server/CherryPyCore.py
@@ -7,7 +7,7 @@ from Bcfg2.Server.Core import BaseCore
 import cherrypy
 from cherrypy.lib import xmlrpcutil
 from cherrypy._cptools import ErrorTool
-from cherrypy.process.plugins import Daemonizer, PIDFile
+from cherrypy.process.plugins import Daemonizer, DropPrivileges, PIDFile
 
 
 def on_error(*args, **kwargs):  # pylint: disable=W0613
@@ -90,6 +90,8 @@ class Core(BaseCore):
         return cherrypy.serving.response.body
 
     def _daemonize(self):
+        DropPrivileges(cherrypy.engine, uid=self.setup['daemon_uid'],
+                       gid=self.setup['daemon_gid']).subscribe()
         Daemonizer(cherrypy.engine).subscribe()
         PIDFile(cherrypy.engine, self.setup['daemon']).subscribe()