On 6/12/07, Matthew McKnight <[EMAIL PROTECTED]> wrote: > Hello all, > > I have mongrel service 0.3.2 running on Win2003 64-bit, special thanks to > Luis for getting that running. You are a great asset! >
Good to know its working ;-) > I am trying to figure out exactly what rights are needed by the account that > is running the service. It works if I give it a domain account with local > admin privileges, but it doesn't work if I give it a domain account without > local admin. I was tracing things and it looked like it was checking for > access to the system32 directory and the ntdll.dll file. I gave the account > modify access to system32, but no dice. No errors in the mongrel_service.log > or servicefb.log. > This is often called LUA Bug [1] > My security guy is wanting me to trace through the code to see what it's > touching, he's not going to let the service account run with local admin > privileges for long. > I will suggest you take a look at the link I just passed as reference ([1]) and also perform some testing with psexec [2] with -l option (privileges stripped mode). do "mongrel_rails start" in the new console window. If everything worked, then perform the same with "mongrel_service" in console mode, which will emulate running as service, perform the same actions, and log everything in expected log files (please, clear them first). I guess I'm starting to repeat my self too often on this topic, so something could be documented and added to DOCs (patches with this are welcome ;-) [3] and [4] are useful threads that contains information about tracking down the problem. > For reference, I can run the thing under srvany.exe without local admin > rights, and it runs just fine. But that solution is unacceptable because it > doesn't kill the processes, making me do my own imitation of mongrel service > and write down the process ids of the processes as they start up, so I know > which service goes with which process when I try to have an orderly > shutdown. I only have about 8 mongrels running on the server, but it's an 8 > core beasty, so I am looking to add more once I get this straight. > mongrel_service isn't doing anything out of usual, even getting information about their "host" process is safer inside Local Service account (not even admin). I know the srvany pain. That's why I created mongrel_service. Orphaned process are like FastCGI ones, which don't seems quite right, even on a Windows environment ;-) Hope this information helps, [1] http://blogs.msdn.com/aaron_margosis/archive/2006/02/06/525455.aspx [2] http://www.microsoft.com/technet/sysinternals/utilities/psexec.mspx [3] http://rubyforge.org/pipermail/mongrel-users/2007-March/003364.html [4] http://rubyforge.org/pipermail/mongrel-users/2007-February/003006.html -- Luis Lavena Multimedia systems - Leaders are made, they are not born. They are made by hard effort, which is the price which all of us must pay to achieve any goal that is worthwhile. Vince Lombardi _______________________________________________ Mongrel-users mailing list Mongrel-users@rubyforge.org http://rubyforge.org/mailman/listinfo/mongrel-users