On Tue, Mar 06, 2012 at 04:23:25PM +0000, Sigurd Høgsbro wrote: > Ran into a file permission problem whilst trying to setup Trac (0.12.3) on a > Linux box (Ubuntu Lucid 10.04) with TracGit plugin to run under uWSGI (1.0.4), > with the Git repo's managed by Gitolite. Gitolite runs under git:git, uWSGI/ > Trac runs under trac:trac. The trac user is a member of the git group, and > I've > verified that I can read the Git control-files as the trac user (after a 'su - > trac'). > > When running the Trac code under uWSGI, TracGit complains that it cannot read > the repo control files. Running the same code under tracd (in HTTP mode), it > works. I added some trace in PyGit.py, and found that when run under uWSGI, > the > uid/gid is set correctly but the supplementary group list is empty. I > eventually found this was caused by the call in utils.c:577 to setgroups(0, > NULL), after the call to setgid(). > > After some Googling I found the correct solution is calling initgroups(3) > instead of calling setgroups(2) - see links below for details. > > • [1]http://www.gnu.org/software/libc/manual/html_node/Setting-Groups.html > • [2]http://stackoverflow.com/questions/1489579/linux-id-no-squash-root > • [3]http://www.palecrow.com/chroot-jail-paper.html > • > [4]http://code.google.com/p/modwsgi/source/browse/mod_wsgi/mod_wsgi.c#10197 > > Note: There are calls to setgroups() in both utils.c and emperor.c. I only > tested this in utils.c.
So I am not sure why this bug didn't get more attention. Currently I am hitting this same bug (well, not me, but a fedora user), check this comment: https://bugzilla.redhat.com/show_bug.cgi?id=901936#c2 tl;dr uwsgi is unable to properly drop privileges when in emperor mode. This is with uwsgi 1.2.6 but I just downloaded 1.4.5 and sure enough the same code still exists and, arguably, the bug is there. Is this really the issue or am I missing something here? a really simple patch was provided by Sigurd which I can use to test in a bit, but wondering if anyone else has hit this same bug. > > Testing was done on my Ubuntu 10.04 box, and results in the correct > supplementary groups being available (and TracGit works). > > Regards, > > Sigurd > > diff -p: > *** utils.c 2012-02-13 18:26:37.000000000 +0100 > --- ../utils.c 2012-03-06 17:09:05.222275998 +0100 > *************** void uwsgi_as_root() { > *** 573,580 **** > uwsgi_error("setgid()"); > exit(1); > } > ! if (setgroups(0, NULL)) { > ! uwsgi_error("setgroups()"); > exit(1); > } > } > --- 573,580 ---- > uwsgi_error("setgid()"); > exit(1); > } > ! if (initgroups(uwsgi.uidname, uwsgi.gid)) { > ! uwsgi_error("initgroups()"); > exit(1); > } > } > > > References: > > [1] http://www.gnu.org/software/libc/manual/html_node/Setting-Groups.html > [2] http://stackoverflow.com/questions/1489579/linux-id-no-squash-root > [3] http://www.palecrow.com/chroot-jail-paper.html > [4] http://code.google.com/p/modwsgi/source/browse/mod_wsgi/mod_wsgi.c#10197 > _______________________________________________ > uWSGI mailing list > [email protected] > http://lists.unbit.it/cgi-bin/mailman/listinfo/uwsgi
pgpmNIgwSaMVi.pgp
Description: PGP signature
_______________________________________________ uWSGI mailing list [email protected] http://lists.unbit.it/cgi-bin/mailman/listinfo/uwsgi
