Feature #6975
closed
Changing UID/GID when calling spawn/popen
Description
Hello,
If I am not wrong it seems that there is no way to properly drop all privileges when spawning a process with spawn/popen.
AFAIK, proper privilege dropping should be done after the fork() and before the exec() and there doesn't seem to be such functionality neither an hook like Python has.
Thanks,
Bye,
Updated by nobu (Nobuyoshi Nakada) over 11 years ago
- Description updated (diff)
- Category set to core
- Assignee set to akira (akira yamada)
Here is a patch
https://github.com/nobu/ruby/compare/uid-gid_exec_options
But I have no ideas how to test this feature.
Updated by akr (Akira Tanaka) over 11 years ago
- Assignee changed from akira (akira yamada) to akr (Akira Tanaka)
posix_spawn has an option to dropping privileges: POSIX_SPAWN_RESETIDS
I guess primitive setuid/setgid is too generic for this use case.
Updated by nobu (Nobuyoshi Nakada) over 11 years ago
- Status changed from Open to Closed
- % Done changed from 0 to 100
This issue was solved with changeset r37124.
Daniele, thank you for reporting this issue.
Your contribution to Ruby is greatly appreciated.
May Ruby be with you.
process.c: uid gid exec options
- process.c (rb_execarg_addopt, rb_execarg_run_options): add :uid and
:gid options. [ruby-core:47414] [Feature #6975]
Updated by vihai (Daniele Orlandi) about 11 years ago
Thank you very much!
However it would useful and recommendable if spawn could also initialize additional groups, either directly via setgroups(2) or via initgroups(3)
Do you agree?
Should I create a new feature request?
Updated by kosaki (Motohiro KOSAKI) about 11 years ago
Should I create a new feature request?
Yes, please make another ticket.