[Supervisor-users] [PATCH] Clearing subprocess environment

[Grzegorz Nosek]

Hi!

The attached patch adds an option to clear the subprocess environment 
before calling exec(). We don't always want to leak supervisor's 
environment to its children, which usually run under different UIDs 
(plus, they need not and should not care they're running under 
supervisor as they can't access it anyway).

With this patch you can set clear_environment=true in a process config 
section to make the child environment contain _only_ items specified in 
the environment= parameter.

This should arguably be done by PAM modules but pam_env doesn't seem to 
support clearing the environment at all (only unsetting variables by 
name). BTW, I'm cooking a patch to add PAM support to supervisor too, 
but it requires ctypes and a heavily patched pam module (the one from 
pypi is too limited), so I guess won't end up in mainline, anyway, but 
if somebody is interested, shout.

Best regards,
 Grzegorz Nosek
>From f8e0867cc901ed230ca2204c9d77c76795ac1780 Mon Sep 17 00:00:00 2001
From: Grzegorz Nosek <r...@localdomain.pl>
Date: Mon, 15 Nov 2010 17:42:16 +0100
Subject: [PATCH] Support clear_environment process parameter

When true, the process receives only items explicitly
mentioned in environment= parameter.

Defaults to false.
---
 src/supervisor/tests/test_process.py |   31 +++++++++++++++++++++++++++++++
 1 files changed, 31 insertions(+), 0 deletions(-)

diff --git a/src/supervisor/tests/test_process.py b/src/supervisor/tests/test_process.py
index 7185816..740367c 100644
--- a/src/supervisor/tests/test_process.py
+++ b/src/supervisor/tests/test_process.py
@@ -453,6 +453,37 @@ class SubprocessTests(unittest.TestCase):
             options.execv_environment['SUPERVISOR_SERVER_URL'],
             'http://localhost:9001')
 
+    def test_spawn_as_child_environment_clear_environment(self):
+        options = DummyOptions()
+        options.forkpid = 0
+        config = DummyPConfig(options, 'cat', '/bin/cat',
+            clear_environment=True)
+        instance = self._makeOne(config)
+        class Dummy:
+            name = 'dummy'
+        instance.group = Dummy()
+        instance.group.config = Dummy()
+        result = instance.spawn()
+        self.assertEqual(result, None)
+        self.assertEqual(options.execv_args, ('/bin/cat', ['/bin/cat']) )
+        self.assertEqual(options.execv_environment, dict())
+
+    def test_spawn_as_child_environment_clear_environment_withvars(self):
+        options = DummyOptions()
+        options.forkpid = 0
+        child_env = dict(_TEST_=1)
+        config = DummyPConfig(options, 'cat', '/bin/cat',
+            clear_environment=True, environment=child_env)
+        instance = self._makeOne(config)
+        class Dummy:
+            name = 'dummy'
+        instance.group = Dummy()
+        instance.group.config = Dummy()
+        result = instance.spawn()
+        self.assertEqual(result, None)
+        self.assertEqual(options.execv_args, ('/bin/cat', ['/bin/cat']) )
+        self.assertEqual(options.execv_environment, child_env)
+
     def test_spawn_as_child_stderr_redirected(self):
         options = DummyOptions()
         options.forkpid = 0
-- 
1.7.0.4

_______________________________________________
Supervisor-users mailing list
Supervisor-users@lists.supervisord.org
http://lists.supervisord.org/mailman/listinfo/supervisor-users