On Thu, May 20, 2010 at 6:43 PM, Graham Dumpleton
<[email protected]> wrote:
> Okay, but more searching. Possibly need to use:
>
> NAME
> setgroups -- set group access list
>
> SYNOPSIS
> #include <sys/param.h>
> #include <unistd.h>
>
> int
> setgroups(int ngroups, const gid_t *gidset);
setgroups() is exactly the function to use.
You may want to include the <grp.h> header too for better
portability.
Anwyay, that's why I had asked earlier what his NGROUPS_MAX was
set to, as I expect that's where he was seeing the 16-group limit. I've
seen it anywhere from 8 to 65536, though on most modern Unixes I
deal with its at least 20. Anyway you want to get that limit using
sysconf, something like:
long ngroups_max = 8;
ngroups_max = sysconf(_SC_NGROUPS_MAX);
if( ngroups_max < 0 )
ngroups_max = NGROUPS_MAX;
Also, just as an FYI, under Linux you don't need to be superuser. You
just have to have the CAP_SETGID capability. And that can be set
on the executable file using the setcap command. (But for this case,
it doesn't matter much anyway because you'll be usually be root)
Another idea is to restrict the groups that can get set by matching
them with the total list as returned by the getgrouplist() call. I'm not
too sure on how portable that last on is though, or if it suffers from
the NGROUPS_MAX limit.
> Thus, feasibly one could allow 'groups' parameter of WSGIDaemonProcess
> to take a comma separated list, also allowing 'a,' to indicate single
> group, and use this function to override the group vector.
>
> Now, is there any reasonable use of this outside of this persons one
> case to justify making such an enhancement.
I don't see a huge need for it at the moment, but it could be useful.
Mainly to allow for better sand-boxing in some cases.
I've actually been toying with the idea of getting different wsgi daemon
groups to run with different SELinux security contexts ... but that is
definitely very specialized. .... and the group permissions thing is
much easier for most people to understand and administer.
--
Deron Meranda
http://deron.meranda.us/
--
You received this message because you are subscribed to the Google Groups
"modwsgi" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/modwsgi?hl=en.
