Updated docs for privilege separation (*nix only)

phlipper · Aug 12, 2009 · b2adc5d · b2adc5d
1 parent ea34f35
commit b2adc5d
Show file tree

Hide file tree

Showing 4 changed files with 39 additions and 8 deletions.
diff --git a/Configuration.txt b/Configuration.txt
@@ -78,3 +78,25 @@ Or the same in +config/environment.rb+
 
     # ...
   end
+
+=== Privilege Separation
+
+By default daemon processes run as the user that starts them, inheriting all
+their privileges (or lack thereof). Getting daemon-kit to drop privileges
+can currently only be done using command-line parameters, and only works
+reliable on *nix (OSX seemed cranky at the time of testing).
+
+  $ ./bin/daemon start --config user=nobody --config group=nobody
+
+Privileges are dropped at the earliest possible phase of starting the daemon.
+
+Things to note on privilege separation:
+
+* You generally have to be root to be able to perform this
+* File system permissions for +log/+ needs to be correct
+* Daemon-kit will only shed privileges on the +start+ command, not on +run+
+* Make sure your code is secure if accepting stuff from the outside world
+
+The implementation stems from the advice given by Joe Damato on his blog post
+http://timetobleed.com/tag/privilege-escalation/
+
diff --git a/History.txt b/History.txt
@@ -4,6 +4,7 @@
 * Allow process umask to be configured, defaults to 022
 * Updates to DaemonKit::Config hashes
 * Fixed argument parsing bug (reported by Mathijs Kwik (bluescreen303)
+* Support for privilege separation (See Configuration.txt)
 
 == 0.1.7.9 2009-06-22
 

diff --git a/lib/daemon_kit/application.rb b/lib/daemon_kit/application.rb
@@ -164,14 +164,6 @@ def redirect_io( simulate = false )
       end
 
       def drop_privileges
-        if DaemonKit.configuration.user
-          begin
-            user = Etc.getpwnam( DaemonKit.configuration.user )
-            Process::Sys.setuid( user.uid.to_i )
-          rescue => e
-            $stderr.puts "Caught exception while trying to drop user privileges: #{e.message}"
-          end
-        end
         if DaemonKit.configuration.group
           begin
             group = Etc.getgrnam( DaemonKit.configuration.group )
@@ -180,6 +172,14 @@ def drop_privileges
             $stderr.puts "Caught exception while trying to drop group privileges: #{e.message}"
           end
         end
+        if DaemonKit.configuration.user
+          begin
+            user = Etc.getpwnam( DaemonKit.configuration.user )
+            Process::Sys.setuid( user.uid.to_i )
+          rescue => e
+            $stderr.puts "Caught exception while trying to drop user privileges: #{e.message}"
+          end
+        end
       end
     end
 

diff --git a/lib/daemon_kit/initializer.rb b/lib/daemon_kit/initializer.rb
@@ -111,6 +111,14 @@ def after_daemonize
       set_process_name
 
       DaemonKit.logger.info( "DaemonKit (#{DaemonKit::VERSION}) booted, now running #{DaemonKit.configuration.daemon_name}" )
+
+      if DaemonKit.configuration.user || DaemonKit.configuration.group
+        euid = Process.euid
+	egid = Process.egid
+	uid = Process.uid
+	gid = Process.gid
+      	DaemonKit.logger.info( "DaemonKit dropped privileges to: #{euid} (EUID), #{egid} (EGID), #{uid} (UID), #{gid} (GID)"  )
+      end
     end
 
     def set_load_path