From a4e78fbed539e83b639dd22b0662554c9e837e23 Mon Sep 17 00:00:00 2001 From: "Chris St. Pierre" Date: Tue, 25 Sep 2012 16:56:08 -0400 Subject: drop privs options added, works in CherryPy --- src/lib/Bcfg2/Options.py | 34 +++++++++++++++++++++++++++++++++- src/lib/Bcfg2/Server/BuiltinCore.py | 4 +++- src/lib/Bcfg2/Server/CherryPyCore.py | 4 +++- tools/manpagegen/bcfg2.conf.5.ronn | 6 ++++++ 4 files changed, 45 insertions(+), 3 deletions(-) diff --git a/src/lib/Bcfg2/Options.py b/src/lib/Bcfg2/Options.py index a436472e1..4fda79dfb 100644 --- a/src/lib/Bcfg2/Options.py +++ b/src/lib/Bcfg2/Options.py @@ -7,6 +7,8 @@ import os import re import shlex import sys +import grp +import pwd import Bcfg2.Client.Tools from Bcfg2.Compat import ConfigParser from Bcfg2.version import __version__ @@ -332,6 +334,24 @@ def get_bool(val): raise ValueError +def get_gid(val): + """ This takes a group name or gid and returns the corresponding + gid. """ + try: + return int(val) + except ValueError: + return int(grp.getgrnam(val)[2]) + + +def get_uid(val): + """ This takes a group name or gid and returns the corresponding + gid. """ + try: + return int(val) + except ValueError: + return int(pwd.getpwnam(val)[2]) + + # Options accepts keyword argument list with the following values: # default: default value for the option # cmd: command line switch @@ -522,6 +542,16 @@ SERVER_BACKEND = \ Option('Server Backend', default='best', cf=('server', 'backend')) +SERVER_DAEMON_USER = \ + Option('User to run the server daemon as', + default=0, + cf=('server', 'user'), + cook=get_uid) +SERVER_DAEMON_GROUP = \ + Option('Group to run the server daemon as', + default=0, + cf=('server', 'group'), + cook=get_gid) # database options DB_ENGINE = \ @@ -1000,7 +1030,9 @@ CLI_COMMON_OPTIONS = dict(configfile=CFILE, syslog=LOGGING_SYSLOG) DAEMON_COMMON_OPTIONS = dict(daemon=DAEMON, - listen_all=SERVER_LISTEN_ALL) + listen_all=SERVER_LISTEN_ALL, + daemon_uid=SERVER_DAEMON_USER, + daemon_gid=SERVER_DAEMON_GROUP) SERVER_COMMON_OPTIONS = dict(repo=SERVER_REPOSITORY, plugins=SERVER_PLUGINS, diff --git a/src/lib/Bcfg2/Server/BuiltinCore.py b/src/lib/Bcfg2/Server/BuiltinCore.py index 61edd9cf7..b62312828 100644 --- a/src/lib/Bcfg2/Server/BuiltinCore.py +++ b/src/lib/Bcfg2/Server/BuiltinCore.py @@ -30,7 +30,9 @@ class Core(BaseCore): BaseCore.__init__(self, setup) self.server = None self.context = \ - daemon.DaemonContext(pidfile=PidFile(self.setup['daemon'])) + daemon.DaemonContext(uid=self.setup['daemon_uid'], + gid=self.setup['daemon_gid'], + pidfile=PidFile(self.setup['daemon'])) def _dispatch(self, method, args, dispatch_dict): """Custom XML-RPC dispatcher for components. diff --git a/src/lib/Bcfg2/Server/CherryPyCore.py b/src/lib/Bcfg2/Server/CherryPyCore.py index a840d5ae9..79e939344 100644 --- a/src/lib/Bcfg2/Server/CherryPyCore.py +++ b/src/lib/Bcfg2/Server/CherryPyCore.py @@ -7,7 +7,7 @@ from Bcfg2.Server.Core import BaseCore import cherrypy from cherrypy.lib import xmlrpcutil from cherrypy._cptools import ErrorTool -from cherrypy.process.plugins import Daemonizer, PIDFile +from cherrypy.process.plugins import Daemonizer, DropPrivileges, PIDFile def on_error(*args, **kwargs): # pylint: disable=W0613 @@ -90,6 +90,8 @@ class Core(BaseCore): return cherrypy.serving.response.body def _daemonize(self): + DropPrivileges(cherrypy.engine, uid=self.setup['daemon_uid'], + gid=self.setup['daemon_gid']).subscribe() Daemonizer(cherrypy.engine).subscribe() PIDFile(cherrypy.engine, self.setup['daemon']).subscribe() diff --git a/tools/manpagegen/bcfg2.conf.5.ronn b/tools/manpagegen/bcfg2.conf.5.ronn index 3687e4c74..b559f5599 100644 --- a/tools/manpagegen/bcfg2.conf.5.ronn +++ b/tools/manpagegen/bcfg2.conf.5.ronn @@ -116,6 +116,12 @@ specified in the `[server]` section of the configuration file. More details on the backends can be found in the official documentation. + * `user`: + The username or UID to run the daemon as. Default is `0` + + * `group`: + The group name or GID to run the daemon as. Default is `0` + ### Account Plugin The account plugin manages authentication data, including the following. -- cgit v1.2.3-1-g7c22