Process does not drop root priveliges when user option set with string expression

[mikluko]

With the first config process starts with effective UID=0. With the second UID set as expected. Effective GID set as expected in both cases.

Using v3.0a8 packaged in Debian stable (squeeze).

[program:example]
user = %(program_name)s
group = %(program_name)s
command = /home/%(program_name)s/bin/django-admin.py run_gunicorn --settings=src.settings --log-level=info --workers=1 -b unix:/var/local/projects/%(program_name)s.sock
autostart = true
redirect_stderr = true
stdout_logfile = /var/log/supervisor/%(program_name)s.log

[program:example]
user = example
group = %(program_name)s
command = /home/%(program_name)s/bin/django-admin.py run_gunicorn --settings=src.settings --log-level=info --workers=1 -b unix:/var/local/projects/%(program_name)s.sock
autostart = true
redirect_stderr = true
stdout_logfile = /var/log/supervisor/%(program_name)s.log

[mnaberez]

String expansions are not global. The manual page for the config file lists which expansions are supported under each option. The user option does not support any string expansions.

[mikluko]

So, when you set user option to incorrect value process silently starts as root? Isn't it security flaw? I belive supervisor should display warning at least.

[mcdonc]

It does (in the log, anyway.. kinda hard to "display" something when it's typically running as a daemon).

[mnaberez]

So, when you set user option to incorrect value process silently starts as root?

Prior to 3.0b2, a warning (supervisor: error trying to setuid to...) would be written to the child's stderr log but the process would still be started. This message could be missed so we changed the behavior in 3.0b2.

There were two relevant changes in that release:

• 448b9e6 Show an error when parsing the config file if user does not exist
• c5934ce Do not spawn child process if setuid fails

Now, supervisord will refuse to start the process.