summaryrefslogtreecommitdiffstats
path: root/wallace
diff options
context:
space:
mode:
authorJeroen van Meeuwen (Kolab Systems) <vanmeeuwen@kolabsys.com>2012-05-21 14:40:00 +0100
committerJeroen van Meeuwen (Kolab Systems) <vanmeeuwen@kolabsys.com>2012-05-21 14:40:00 +0100
commit8b6068013328566e52540d4e9dcc91e80b3708f5 (patch)
tree690d27087fafeabc946cd923d3703c65b81abdb0 /wallace
parent0412e7428532533e3f57c01b6f5f8e2d853d7b0a (diff)
downloadpykolab-8b6068013328566e52540d4e9dcc91e80b3708f5.tar.gz
If possible, switch user/groups when starting
Diffstat (limited to 'wallace')
-rw-r--r--wallace/__init__.py95
1 files changed, 94 insertions, 1 deletions
diff --git a/wallace/__init__.py b/wallace/__init__.py
index 6677613..edd47a6 100644
--- a/wallace/__init__.py
+++ b/wallace/__init__.py
@@ -18,7 +18,9 @@
#
import asyncore
+import grp
import os
+import pwd
from smtpd import SMTPChannel
import sys
import tempfile
@@ -53,6 +55,16 @@ class WallaceDaemon(object):
)
daemon_group.add_option(
+ "-g",
+ "--group",
+ dest = "process_groupname",
+ action = "store",
+ default = "kolab",
+ help = _("Run as group GROUPNAME"),
+ metavar = "GROUPNAME"
+ )
+
+ daemon_group.add_option(
"-p", "--pid-file",
dest = "pidfile",
action = "store",
@@ -68,6 +80,16 @@ class WallaceDaemon(object):
help = _("Port that Wallace is supposed to use.")
)
+ daemon_group.add_option(
+ "-u",
+ "--user",
+ dest = "process_username",
+ action = "store",
+ default = "kolab",
+ help = _("Run as user USERNAME"),
+ metavar = "USERNAME"
+ )
+
conf.finalize_conf()
import modules
@@ -178,7 +200,9 @@ class WallaceDaemon(object):
wallace_modules = conf.get_list('wallace', 'modules')
if wallace_modules == None:
- wallace_modules = []
+ wallace_modules = ['resources']
+ elif not 'resources' in wallace_modules:
+ wallace_modules.append('resources')
for module in wallace_modules:
log.debug(_("Executing module %s") % (module), level=8)
@@ -192,6 +216,75 @@ class WallaceDaemon(object):
exitcode = 0
try:
+ (ruid, euid, suid) = os.getresuid()
+ (rgid, egid, sgid) = os.getresgid()
+
+ if ruid == 0:
+ # Means we can setreuid() / setregid() / setgroups()
+ if egid == 0:
+ # Get group entry details
+ try:
+ (
+ group_name,
+ group_password,
+ group_gid,
+ group_members
+ ) = grp.getgrnam(conf.process_groupname)
+
+ except KeyError:
+ print >> sys.stderr, _("Group %s does not exist") % (
+ conf.process_groupname
+ )
+
+ sys.exit(1)
+
+ # Set real and effective group if not the same as current.
+ if not group_gid == egid:
+ log.debug(
+ _("Switching real and effective group id to %d") % (
+ group_gid
+ ),
+ level=8
+ )
+
+ os.setregid(group_gid, group_gid)
+
+ if euid == 0:
+ # Means we haven't switched yet.
+ try:
+ (
+ user_name,
+ user_password,
+ user_uid,
+ user_gid,
+ user_gecos,
+ user_homedir,
+ user_shell
+ ) = pwd.getpwnam(conf.process_username)
+
+ except KeyError:
+ print >> sys.stderr, _("User %s does not exist") % (
+ conf.process_username
+ )
+
+ sys.exit(1)
+
+
+ # Set real and effective user if not the same as current.
+ if not user_uid == euid:
+ log.debug(
+ _("Switching real and effective user id to %d") % (
+ user_uid
+ ),
+ level=8
+ )
+
+ os.setreuid(user_uid, user_uid)
+
+ except:
+ log.error(_("Could not change real and effective uid and/or gid"))
+
+ try:
pid = 1
if conf.fork_mode:
self.thread_count += 1