Merge pull request #1290 from benoitc/fix/1287

initialize the group access list for a worker when initgroups is set
2026-01-14 11:09:11 +08:00 · 2016-06-03 10:20:49 +02:00 · 2016-06-03 10:20:49 +02:00 · 5cc3d104cf
commit 5cc3d104cf
parent 4d845f2ae4 cb84e6ed11
3 changed files with 39 additions and 3 deletions
--- a/gunicorn/config.py
+++ b/gunicorn/config.py
@ -987,6 +987,23 @@ class Umask(Setting):
        """


+class Initgroups(Setting):
+    name = "initgroups"
+    section = "Server Mechanics"
+    cli = ["--initgroups"]
+    validator = validate_bool
+    action = 'store_true'
+    default = False
+
+    desc = """\
+        If true, set the worker process's group access list with all of the
+        groups of which the specified username is a member, plus the specified
+        group id.
+
+        .. versionadded:: 19.7
+        """
+
+
 class TmpUploadDir(Setting):
    name = "tmp_upload_dir"
    section = "Server Mechanics"
--- a/gunicorn/util.py
+++ b/gunicorn/util.py
@ -54,6 +54,7 @@ hop_headers = set("""

 try:
    from setproctitle import setproctitle
+
    def _setproctitle(title):
        setproctitle("gunicorn: %s" % title)
 except ImportError:
@ -147,13 +148,30 @@ def load_class(uri, default="gunicorn.workers.sync.SyncWorker",
        return getattr(mod, klass)


-def set_owner_process(uid, gid):
+def get_username(uid):
+    """ get the username for a user id"""
+    return pwd.getpwuid(uid).pw_name
+
+
+def set_owner_process(uid, gid, initgroups=False):
    """ set user and group of workers processes """
+
    if gid:
+        if uid:
+            try:
+                username = get_username(uid)
+            except KeyError:
+                initgroups = False
+
        # versions of python < 2.6.2 don't manage unsigned int for
        # groups like on osx or fedora
        gid = abs(gid) & 0x7FFFFFFF
-        os.setgid(gid)
+
+        if initgroups:
+            os.initgroups(username, gid)
+        else:
+            os.setgid(gid)
+
    if uid:
        os.setuid(uid)

--- a/gunicorn/workers/base.py
+++ b/gunicorn/workers/base.py
@ -102,7 +102,8 @@ class Worker(object):
            for k, v in self.cfg.env.items():
                os.environ[k] = v

-        util.set_owner_process(self.cfg.uid, self.cfg.gid)
+        util.set_owner_process(self.cfg.uid, self.cfg.gid,
+                               initgroups=self.cfg.initgroups)

        # Reseed the random number generator
        util.seed()