I''m trying to run mongrel on port 80 and switch to a different
user/group from root. As root, this works:
mongrel_rails start -p 3000 -u rails --group rails
This:
mongrel_rails start -p 80 -u rails --group rails
dies with:
---------------------------
** Changing group to rails.
** Changing user to rails.
** Starting Mongrel listening at 0.0.0.0:80
/usr/local/lib/ruby/gems/1.8/gems/mongrel-0.3.13.1/lib/mongrel/tcphack.rb:24:in
`initialize_without_backlog'': Permission denied - bind(2)
(Errno::EACCES) from
/usr/local/lib/ruby/gems/1.8/gems/mongrel-0.3.13.1/lib/mongrel/tcphack.rb:24:in
`initialize''
from
/usr/local/lib/ruby/gems/1.8/gems/mongrel-0.3.13.1/lib/mongrel.rb:500:in
`initialize''
from
/usr/local/lib/ruby/gems/1.8/gems/mongrel-0.3.13.1/lib/mongrel.rb:822:in
`listener''
from
/usr/local/lib/ruby/gems/1.8/gems/mongrel-0.3.13.1/bin/mongrel_rails:91:in
`cloaker_''
from
/usr/local/lib/ruby/gems/1.8/gems/mongrel-0.3.13.1/lib/mongrel.rb:752:in
`initialize''
from
/usr/local/lib/ruby/gems/1.8/gems/mongrel-0.3.13.1/bin/mongrel_rails:78:in
`run''
from
/usr/local/lib/ruby/gems/1.8/gems/mongrel-0.3.13.1/lib/mongrel/command.rb:211:in
`run''
from
/usr/local/lib/ruby/gems/1.8/gems/mongrel-0.3.13.1/bin/mongrel_rails:227
from /usr/local/bin/mongrel_rails:18
---------------------------
It appears that the mongrel process changes privilege before binding
to port 80, which of course is not allowed for non-root process. Is
there a workaround here?
Port 80 is a privileged port, meaning only processes running as root can
bind to that port. Even though you are initiating the command as root, you
are telling mongrel it should run as user rails. Since rails != root,
mongrel will not run on port 80 as with any -u value other than root.
=Will Green
Web Developer & IT Coordinator, URS Creative Imaging
http://www.urscreativeimaging.com/
This e-mail and any attachments are confidential. If you receive this
message in error or are not the intended recipient, you should not retain,
distribute, disclose or use any of this information and you should destroy
the e-mail and any attachments or copies.
"Doug Selph"
<dselph at gmail.com
> To
Sent by: mongrel-users at rubyforge.org
mongrel-users-bou cc
nces at rubyforge.or
g Subject
[Mongrel] changing user/group on
port 80
06/22/2006 02:04
PM
Please respond to
doug at dougselph.co
m; Please respond
to
mongrel-users at rub
yforge.org
I''m trying to run mongrel on port 80 and switch to a different
user/group from root. As root, this works:
mongrel_rails start -p 3000 -u rails --group rails
This:
mongrel_rails start -p 80 -u rails --group rails
dies with:
---------------------------
** Changing group to rails.
** Changing user to rails.
** Starting Mongrel listening at 0.0.0.0:80
/usr/local/lib/ruby/gems/1.8/gems/mongrel-0.3.13.1
/lib/mongrel/tcphack.rb:24:in
`initialize_without_backlog'': Permission denied - bind(2)
(Errno::EACCES) from
/usr/local/lib/ruby/gems/1.8/gems/mongrel-0.3.13.1
/lib/mongrel/tcphack.rb:24:in
`initialize''
from /usr/local/lib/ruby/gems/1.8/gems/mongrel-0.3.13.1
/lib/mongrel.rb:500:in
`initialize''
from /usr/local/lib/ruby/gems/1.8/gems/mongrel-0.3.13.1
/lib/mongrel.rb:822:in
`listener''
from /usr/local/lib/ruby/gems/1.8/gems/mongrel-0.3.13.1
/bin/mongrel_rails:91:in
`cloaker_''
from /usr/local/lib/ruby/gems/1.8/gems/mongrel-0.3.13.1
/lib/mongrel.rb:752:in
`initialize''
from /usr/local/lib/ruby/gems/1.8/gems/mongrel-0.3.13.1
/bin/mongrel_rails:78:in
`run''
from /usr/local/lib/ruby/gems/1.8/gems/mongrel-0.3.13.1
/lib/mongrel/command.rb:211:in
`run''
from /usr/local/lib/ruby/gems/1.8/gems/mongrel-0.3.13.1
/bin/mongrel_rails:227
from /usr/local/bin/mongrel_rails:18
---------------------------
It appears that the mongrel process changes privilege before binding
to port 80, which of course is not allowed for non-root process. Is
there a workaround here?
_______________________________________________
Mongrel-users mailing list
Mongrel-users at rubyforge.org
http://rubyforge.org/mailman/listinfo/mongrel-users
Right. If you want to run under another user *and* on privileged port, you must start mongrel as root, a and when the port is bound you can have mongrel drop it''s privileges by Process.uid= or Process::UID.change_privilege. Mongrel does this dropping (lib/mongrel.rb:725, in Configurator#initialize) before the ports are bound (the block gets executed right after the privileges drop). If these two were exchanged, it might do what you want, although it may have other implications, that I''m not able to tell now. Jano On 6/22/06, Will_Green at urscorp.com <Will_Green at urscorp.com> wrote:> Port 80 is a privileged port, meaning only processes running as root can > bind to that port. Even though you are initiating the command as root, you > are telling mongrel it should run as user rails. Since rails != root, > mongrel will not run on port 80 as with any -u value other than root.
Jan, I had actually tried what you suggest (reversing the sequence of change_privilege and port binding) prior to emailing the list. It did allow me to get mongrel up as a non-root process listening on port 80, but every request to my rails app got a http response of 500. I don''t know mongrel well enough to understand the reason for that, but as you said, there were other implications. :) Thanks for taking time to hunt it down and respond. Doug On 6/22/06, Jan Svitok <jan.svitok at gmail.com> wrote:> Right. If you want to run under another user *and* on privileged port, > you must start mongrel as root, a and when the port is bound you can > have mongrel drop it''s privileges by Process.uid= or > Process::UID.change_privilege. > > Mongrel does this dropping (lib/mongrel.rb:725, in > Configurator#initialize) before the ports are bound (the block gets > executed right after the privileges drop). If these two were > exchanged, it might do what you want, although it may have other > implications, that I''m not able to tell now. > > Jano > > On 6/22/06, Will_Green at urscorp.com <Will_Green at urscorp.com> wrote: > > Port 80 is a privileged port, meaning only processes running as root can > > bind to that port. Even though you are initiating the command as root, you > > are telling mongrel it should run as user rails. Since rails != root, > > mongrel will not run on port 80 as with any -u value other than root. > _______________________________________________ > Mongrel-users mailing list > Mongrel-users at rubyforge.org > http://rubyforge.org/mailman/listinfo/mongrel-users >
Jan, An update here: I am now running mongrel behind an apache2 daemon that is listening on port 80 and proxying to mongrel. However, I was curious if something I encountered today would resolve the problem I had after reversing the sequence of dropping privs and binding privileged port, so I repeated that change on my dev box and tried it. It turns out that the error I got when I tried that was a result of the user specified with --user not owning the session files in RAILS_ROOT/tmp/sessions. Once I corrected that condition, the change in lib/mongrel.rb did the trick. Thought you might want to know that. Thanks again for your response yesterday. Doug On 6/22/06, Jan Svitok <jan.svitok at gmail.com> wrote:> Right. If you want to run under another user *and* on privileged port, > you must start mongrel as root, a and when the port is bound you can > have mongrel drop it''s privileges by Process.uid= or > Process::UID.change_privilege. > > Mongrel does this dropping (lib/mongrel.rb:725, in > Configurator#initialize) before the ports are bound (the block gets > executed right after the privileges drop). If these two were > exchanged, it might do what you want, although it may have other > implications, that I''m not able to tell now. > > Jano > > On 6/22/06, Will_Green at urscorp.com <Will_Green at urscorp.com> wrote: > > Port 80 is a privileged port, meaning only processes running as root can > > bind to that port. Even though you are initiating the command as root, you > > are telling mongrel it should run as user rails. Since rails != root, > > mongrel will not run on port 80 as with any -u value other than root. > _______________________________________________ > Mongrel-users mailing list > Mongrel-users at rubyforge.org > http://rubyforge.org/mailman/listinfo/mongrel-users >
On Thu, 2006-06-22 at 13:04 -0500, Doug Selph wrote:> I''m trying to run mongrel on port 80 and switch to a different > user/group from root. As root, this works: >Hey Doug, make sure to try out the pre-release today and let me know if it works for you. Also, when you start to get into running Mongrel more as a real server, I''m going to probably push back on feature requests. Mongrel was specifically designed to be run as a non-privileged user on a higher port in order to avoid these kinds of things. In reality if you''re running Mongrel you should put it behind another web server and let that web server defend port 80 for you. -- Zed A. Shaw http://www.zedshaw.com/ http://mongrel.rubyforge.org/
Reasonably Related Threads
- mongrel start oddities
- OSX requires sudo for using ports < 1024
- mongrel_rails: bug in -C handling?
- Mongrel Service 0.3.0, native services for you!
- Mongrel not starting: `initialize_without_backlog'': Cannot assign requested address - bind(2) (Errno::EADDRNOTAVAIL)