Hello. I have discovered that mongrel does not correctly take on all the groups of the requested user/group combination. It seems that while the specified user and group is correctly activated, all the other groups that are associated with this user are not enabled and the group permissions remain the same as the caller (i.e. root).
This problem (and solution) is discussed in the Ruby Forum: http://www.ruby-forum.com/topic/110492 It seems that Process.initgroups needs to be called in order for the user's group permissions to be properly activated. I have a fix that involves making a slight addition to mongrel-1.0.1/lib/mongrel/configurator.rb as follows: --- configurator.rb.orig 2007-05-28 04:22:11.000000000 -0400 +++ configurator.rb 2007-05-28 04:11:02.000000000 -0400 @@ -55,6 +55,11 @@ # Change privilege of the process to specified user and group. def change_privilege(user, group) begin + if group && user + log "Initialising groups for {#user}:{#group}." + Process.initgroups(user,Etc.getgrnam(group).gid) + end + if group log "Changing group to #{group}." Process::GID.change_privilege(Etc.getgrnam(group).gid) To confirm this is an appropriate fix, I took a look at the source for the linux coreutils 'su' command, which is very similar: /* Become the user and group(s) specified by PW. */ static void change_identity (const struct passwd *pw) { #ifdef HAVE_INITGROUPS errno = 0; if (initgroups (pw->pw_name, pw->pw_gid) == -1) error (EXIT_FAIL, errno, _("cannot set groups")); endgrent (); #endif if (setgid (pw->pw_gid)) error (EXIT_FAIL, errno, _("cannot set group id")); if (setuid (pw->pw_uid)) error (EXIT_FAIL, errno, _("cannot set user id")); } This patch seems to solve the problem for me - Can someone please review this for possible inclusion in the main mongrel source tree? Thanks, Scott _______________________________________________ Mongrel-users mailing list [email protected] http://rubyforge.org/mailman/listinfo/mongrel-users
