On Wed, Jun 12, 2013 at 8:37 AM, Alan Cabrera <[email protected]> wrote: > On Jun 11, 2013, at 10:31 PM, Greg Stein <[email protected]> wrote: >> On Wed, Jun 12, 2013 at 12:03 AM, Alan Cabrera <[email protected]> wrote: >>> ... >>> Why wouldn't we use os.setuid()? >> >> Only root can call os.setuid(), and voter certainly never runs as root :-) >> >> The compiled copies of wrapsuid.c will use filesystem's setuid bit to >> switch users from $whoever to 'voter' (or whatever is configured). >> Thus, the Python interpreter will execute under the voter (effective) >> UID. > > I really hate not having pure Python dists. But, if there's no other way I > guess we're stuck.
Totally agreed -- my preference, too. But yeah: we're stuck. At least on the current model. We *could* create a pure server-based option. Voters/clients authenticate using their key. No setuid would be necessary since voters would not be using a shell, or have bare access to the vote tallies. Mark this as "future feature work" :-) (we'll always have the ssh-based option, for organizations whose security model is ssh-based like the ASF, and that always means mixed-source distributions) Cheers, -g
