jingrow/gunicorn
1
0
Fork 0
mirror of https://github.com/frappe/gunicorn.git synced 2026-01-14 11:09:11 +08:00
Code Issues Packages Projects Releases Wiki Activity

initialize the group access list for a worker when initgroups is set

Browse Source 
Allows the possibility to initialise the group access list when needed to separate privileges

fix #1287
This commit is contained in:
benoitc 2016-05-31 18:26:41 +02:00
parent 4d845f2ae4
commit cb84e6ed11
3 changed files with 39 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
gunicorn/config.py
View File

@ -987,6 +987,23 @@ class Umask(Setting):
""" """
class Initgroups(Setting):
name = "initgroups"
section = "Server Mechanics"
cli = ["--initgroups"]
validator = validate_bool
action = 'store_true'
default = False
desc = """\
If true, set the worker process's group access list with all of the
groups of which the specified username is a member, plus the specified
group id.
.. versionadded:: 19.7
"""
class TmpUploadDir(Setting): class TmpUploadDir(Setting):
name = "tmp_upload_dir" name = "tmp_upload_dir"
section = "Server Mechanics" section = "Server Mechanics"

22
gunicorn/util.py
View File

@ -54,6 +54,7 @@ hop_headers = set("""
try: try:
from setproctitle import setproctitle from setproctitle import setproctitle
def _setproctitle(title): def _setproctitle(title):
setproctitle("gunicorn: %s" % title) setproctitle("gunicorn: %s" % title)
except ImportError: except ImportError:
@ -147,13 +148,30 @@ def load_class(uri, default="gunicorn.workers.sync.SyncWorker",
return getattr(mod, klass) return getattr(mod, klass)
def set_owner_process(uid, gid): def get_username(uid):
""" get the username for a user id"""
return pwd.getpwuid(uid).pw_name
def set_owner_process(uid, gid, initgroups=False):
""" set user and group of workers processes """ """ set user and group of workers processes """
if gid: if gid:
if uid:
try:
username = get_username(uid)
except KeyError:
initgroups = False
# versions of python < 2.6.2 don't manage unsigned int for # versions of python < 2.6.2 don't manage unsigned int for
# groups like on osx or fedora # groups like on osx or fedora
gid = abs(gid) & 0x7FFFFFFF gid = abs(gid) & 0x7FFFFFFF
os.setgid(gid)
if initgroups:
os.initgroups(username, gid)
else:
os.setgid(gid)
if uid: if uid:
os.setuid(uid) os.setuid(uid)

3
gunicorn/workers/base.py
View File

@ -102,7 +102,8 @@ class Worker(object):
for k, v in self.cfg.env.items(): for k, v in self.cfg.env.items():
os.environ[k] = v os.environ[k] = v
util.set_owner_process(self.cfg.uid, self.cfg.gid) util.set_owner_process(self.cfg.uid, self.cfg.gid,
initgroups=self.cfg.initgroups)
# Reseed the random number generator # Reseed the random number generator
util.seed() util.seed()