[hunchentoot-devel] setuid/setgid

Edi Weitz edi at agharta.de
Sat Nov 25 01:27:05 UTC 2006


On Fri, 24 Nov 2006 11:14:51 -0800, Jeffrey Cunningham <jeffrey at cunningham.net> wrote:

> On Fri Nov 24, 2006 at 06:41:07PM +0100, Edi Weitz wrote:
>> On Fri, 24 Nov 2006 08:36:33 -0800, Jeffrey Cunningham <jeffrey at cunningham.net> wrote:
>> 
>> > You say something in your comments about SETUID and SETGID on the
>> > process to something other than root, but I don't know how to do
>> > that other than write a little C-code. Is there another way? If I
>> > understand you correctly, the idea would be to launch the server
>> > as root, then change the UID and GID for the running process.
>> 
>>   http://weitz.de/hunchentoot/#start-server
>
> Yes, those were the comments I was referring to :
>
> "On Unix you can use setuid and setgid to change the UID and GID of
> the process directly after the server has been started. (You might
> want to do this if you're using a privileged port like 80.) setuid
> and setgid can be integers (the actual IDs) or strings (for the user
> and group name respectively)."
>
> Forgive me if this is obvious, but I don't understand. In order to
> start the server from lisp running as a regular user, I have to
> specify a port. If I specify :port 80, it fails with an error
> message that the port is priviliged. So, I don't see how I could
> change setuid and setgid "after the server has been started". I see
> that in the UNIX package there are two functions: 'setuidexec and
> 'setgidexec. Would it work to call these *before* starting the
> server?

[Please use the mailing list.]

You start the Lisp image as root, load Hunchentoot, then call
START-SERVER with the corresponding setuid/setgid arguments.  That's
basically how Apache and other apps do it as well (or AllegroServe).

Cheers,
Edi.



More information about the Tbnl-devel mailing list