You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi!
I have issue with starting rails app on Astra Linux Special Edition (Debian like).
This OS has custom security policies over standard Linux and uses custom PARSEC subsystem to set security labels and categories on users, filesystem, sockets, processes, etc.
I tried to implement needed behavior in Passenger, but I am missing something in architecture design.
Below is sketchy example of some network service with Astra Linux security policies supporting. How can implement this behavior in Passenger?
Which block of code should be in agent's CoreMain, which in Apache mod or Spawner?
Because of complex structure and having multiple sockets for internal working, should Linux/Parsec privileges be set on multiple (or all?) sockets?
My general purpose is to process each client request in separate process with security label of client-user within client-user context.
#include<string.h>
#include<linux/prctl.h>
#include<sys/socket.h>
#include<netdb.h>
#include<parsec/mac.h>
#include<parsec/parsec_integration.h>
#include<parsec/parsec_mac.h>
#include<pwd.h>int sock = 0;
int clnt_sock = 0;
constchar* user;
socklen_t addrlen;
structsockaddr_in serv_addr, clnt_addr;
pid_t child;
memset(&clnt_addr,0,sizeof(clnt_addr));
addr_len = sizeof(clnt_addr);
serv_addr.sin_port = htons(7777);
//// Here is setting and and checking Linux and Parsec privileges for MAIN process using Parsec library//
serv_addr.sin_family = AF_INET;
serv_addr.sin_addr.s_addr = htonl(INADDR_ANY);
// Create privileged socketif ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
{
// error
}
// Bind privileged socketif(bind(sock, (structsockaddr *)&serv_addr, sizeof(serv_addr)))
{
// error
}
// Listening for client connecionif(listen(sock,5) < 0)
{
// error
}
// Accepting client connection on privileged socketif(!(clnt_sock = accept(sock,(structsockaddr*)&clnt_addr,&addr_len)))
{
// error
}
// Creating child process for client request processing within client-user context
child = fork();
if(child<0)
{
// error
}
if(!child)
{
// Process sequrity labelparsec_mac_label_t mac_label;
// For gid/uidstructpasswd* pwd = NULL;
//// Here is setting and and checking Linux and Parsec privileges for CHILD process using Parsec library//// Getting security label for current client process from priviledged socket using Parsec libraryif(parsec_fstatmac(clnt_sock,&mac_label))
{
// error
}
// Setting security label for current client process from priviledged socket using Parsec libraryif(parsec_setmac(0,&mac_label.mac) < 0)
{
// error
}
// Getting user's gid and uid
pwd=getpwnam(user);
if(!pwd)
{
// error
}
// Setting gid and uid for current client processif(setgid(pwd->pw_gid))
{
// error
}
if(setuid(pwd->pw_uid))
{
// error
}
//// Here is request processing here//
}
The text was updated successfully, but these errors were encountered:
I'm not familiar with Astra Linux's security mechanism so I'm afraid I cannot help you further other than giving you some pointers on how Passenger works.
Hi!
I have issue with starting rails app on Astra Linux Special Edition (Debian like).
This OS has custom security policies over standard Linux and uses custom PARSEC subsystem to set security labels and categories on users, filesystem, sockets, processes, etc.
I tried to implement needed behavior in Passenger, but I am missing something in architecture design.
Below is sketchy example of some network service with Astra Linux security policies supporting. How can implement this behavior in Passenger?
Which block of code should be in agent's CoreMain, which in Apache mod or Spawner?
Because of complex structure and having multiple sockets for internal working, should Linux/Parsec privileges be set on multiple (or all?) sockets?
My general purpose is to process each client request in separate process with security label of client-user within client-user context.
The text was updated successfully, but these errors were encountered: