Mongrel users - Jun 2007 - Bug in Configurator.change_privilege?

Hello.

I have discovered that mongrel does not correctly take on all the
groups of the requested user/group combination. It seems that while
the specified user and group is correctly activated, all the other
groups that are associated with this user are not enabled and the
group permissions remain the same as the caller (i.e. root).

This problem (and solution) is discussed in the Ruby Forum:

  http://www.ruby-forum.com/topic/110492

It seems that Process.initgroups needs to be called in order for the
user''s group permissions to be properly activated.

I have a fix that involves making a slight addition to
mongrel-1.0.1/lib/mongrel/configurator.rb as follows:

--- configurator.rb.orig        2007-05-28 04:22:11.000000000 -0400
+++ configurator.rb     2007-05-28 04:11:02.000000000 -0400
@@ -55,6 +55,11 @@
     # Change privilege of the process to specified user and group.
     def change_privilege(user, group)
       begin
+        if group && user
+          log "Initialising groups for {#user}:{#group}."
+          Process.initgroups(user,Etc.getgrnam(group).gid)
+        end
+
         if group
           log "Changing group to #{group}."
           Process::GID.change_privilege(Etc.getgrnam(group).gid)

To confirm this is an appropriate fix, I took a look at the source for
the linux coreutils ''su'' command, which is very similar:

/* Become the user and group(s) specified by PW.  */

static void
change_identity (const struct passwd *pw)
{
#ifdef HAVE_INITGROUPS
  errno = 0;
  if (initgroups (pw->pw_name, pw->pw_gid) == -1)
    error (EXIT_FAIL, errno, _("cannot set groups"));
  endgrent ();
#endif
  if (setgid (pw->pw_gid))
    error (EXIT_FAIL, errno, _("cannot set group id"));
  if (setuid (pw->pw_uid))
    error (EXIT_FAIL, errno, _("cannot set user id"));
}

This patch seems to solve the problem for me - Can someone please
review this for possible inclusion in the main mongrel source tree?

Thanks,
Scott

I have run across this same problem. Is there any chance this patch
will get committed?

Thanks.
- jeremy

On 6/4/07, Scott McNab <scott.mcnab at gmail.com>
wrote:
> Hello.
>
> I have discovered that mongrel does not correctly take on all the
> groups of the requested user/group combination. It seems that while
> the specified user and group is correctly activated, all the other
> groups that are associated with this user are not enabled and the
> group permissions remain the same as the caller (i.e. root).
>
> This problem (and solution) is discussed in the Ruby Forum:
>
>   http://www.ruby-forum.com/topic/110492
>
> It seems that Process.initgroups needs to be called in order for the
> user''s group permissions to be properly activated.
>
> I have a fix that involves making a slight addition to
> mongrel-1.0.1/lib/mongrel/configurator.rb as follows:
>
> --- configurator.rb.orig        2007-05-28 04:22:11.000000000 -0400
> +++ configurator.rb     2007-05-28 04:11:02.000000000 -0400
> @@ -55,6 +55,11 @@
>      # Change privilege of the process to specified user and group.
>      def change_privilege(user, group)
>        begin
> +        if group && user
> +          log "Initialising groups for {#user}:{#group}."
> +          Process.initgroups(user,Etc.getgrnam(group).gid)
> +        end
> +
>          if group
>            log "Changing group to #{group}."
>            Process::GID.change_privilege(Etc.getgrnam(group).gid)
>
> To confirm this is an appropriate fix, I took a look at the source for
> the linux coreutils ''su'' command, which is very similar:
>
> /* Become the user and group(s) specified by PW.  */
>
> static void
> change_identity (const struct passwd *pw)
> {
> #ifdef HAVE_INITGROUPS
>   errno = 0;
>   if (initgroups (pw->pw_name, pw->pw_gid) == -1)
>     error (EXIT_FAIL, errno, _("cannot set groups"));
>   endgrent ();
> #endif
>   if (setgid (pw->pw_gid))
>     error (EXIT_FAIL, errno, _("cannot set group id"));
>   if (setuid (pw->pw_uid))
>     error (EXIT_FAIL, errno, _("cannot set user id"));
> }
>
> This patch seems to solve the problem for me - Can someone please
> review this for possible inclusion in the main mongrel source tree?
>
> Thanks,
> Scott
> _______________________________________________
> Mongrel-users mailing list
> Mongrel-users at rubyforge.org
> http://rubyforge.org/mailman/listinfo/mongrel-users
>

On 7/30/07, Jeremy Burks <jeremy.burks at gmail.com>
wrote:
> I have run across this same problem. Is there any chance this patch
> will get committed?
For what it is worth, this is fixed in the swiftiplied_mongrel and
evented_mongrel patches in Swiftiply 0.6.0 (which, sadly, I didn''t get
released this weekend as planned because I found a couple bugs that I
need to address first).


Kirk Haines

Is there any chance of getting this fixed for 1.0.2?

Thanks
- jeremy

On Sep 20, 2007, at 15:13 , Jeremy Burks wrote:
> Is there any chance of getting this fixed for 1.0.2?
File a ticket. Submit the patch, we''ll see if we *might* be able to  
get it in.

   ~Wayne

s///g
Wayne E. Seguin
Sr. Systems Architect & Systems Administrator

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://rubyforge.org/pipermail/mongrel-users/attachments/20070920/a66e9240/attachment.html

Here is the patch:
http://rubyforge.org/tracker/index.php?func=detail&aid=14116&group_id=1306&atid=5147

On 9/20/07, Wayne E. Seguin <wayneeseguin at gmail.com>
wrote:
>
> On Sep 20, 2007, at 15:13 , Jeremy Burks wrote:
> Is there any chance of getting this fixed for 1.0.2?
>
> File a ticket. Submit the patch, we''ll see if we *might* be able
to get it
> in.
>
>   ~Wayne
>
> s///g
> Wayne E. Seguin
> Sr. Systems Architect & Systems Administrator
>
> _______________________________________________
> Mongrel-users mailing list
> Mongrel-users at rubyforge.org
> http://rubyforge.org/mailman/listinfo/mongrel-users
>

Yes I second the vote for this to please be included in the 1.0.2
release, if at all possible.
Thanks
Scott


On 9/21/07, Jeremy Burks <jeremy.burks at gmail.com>
wrote:
> Here is the patch:
>
http://rubyforge.org/tracker/index.php?func=detail&aid=14116&group_id=1306&atid=5147
>
> On 9/20/07, Wayne E. Seguin <wayneeseguin at gmail.com> wrote:
> >
> > On Sep 20, 2007, at 15:13 , Jeremy Burks wrote:
> > Is there any chance of getting this fixed for 1.0.2?
> >
> > File a ticket. Submit the patch, we''ll see if we *might* be
able to get it
> > in.
> >
> >   ~Wayne

On Sep 21, 2007, at 01:51 , Scott McNab wrote:
> Yes I second the vote for this to please be included in the 1.0.2
> release, if at all possible.
> Thanks
> Scott
Scott,

It has been applied for the 1.0.2 release. Thank you for your  
contribution.

   ~Wayne

s///g
Wayne E. Seguin
Sr. Systems Architect & Systems Administrator

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://rubyforge.org/pipermail/mongrel-users/attachments/20070921/0111a76f/attachment.html

Awesome. Thanks. And thanks to Scott for tracking down the problem.

- jeremy

On 9/21/07, Wayne E. Seguin <wayneeseguin at gmail.com>
wrote:
>
> On Sep 21, 2007, at 01:51 , Scott McNab wrote:
> Yes I second the vote for this to please be included in the 1.0.2
> release, if at all possible.
> Thanks
> Scott
>
> Scott,
>
> It has been applied for the 1.0.2 release. Thank you for your contribution.
>
>   ~Wayne
>
> s///g
> Wayne E. Seguin
> Sr. Systems Architect & Systems Administrator
>
> _______________________________________________
> Mongrel-users mailing list
> Mongrel-users at rubyforge.org
> http://rubyforge.org/mailman/listinfo/mongrel-users
>