[hunchentoot-devel] setuid/setgid
Edi Weitz
edi at agharta.de
Sat Nov 25 01:27:05 UTC 2006
On Fri, 24 Nov 2006 11:14:51 -0800, Jeffrey Cunningham <jeffrey at cunningham.net> wrote:
> On Fri Nov 24, 2006 at 06:41:07PM +0100, Edi Weitz wrote:
>> On Fri, 24 Nov 2006 08:36:33 -0800, Jeffrey Cunningham <jeffrey at cunningham.net> wrote:
>>
>> > You say something in your comments about SETUID and SETGID on the
>> > process to something other than root, but I don't know how to do
>> > that other than write a little C-code. Is there another way? If I
>> > understand you correctly, the idea would be to launch the server
>> > as root, then change the UID and GID for the running process.
>>
>> http://weitz.de/hunchentoot/#start-server
>
> Yes, those were the comments I was referring to :
>
> "On Unix you can use setuid and setgid to change the UID and GID of
> the process directly after the server has been started. (You might
> want to do this if you're using a privileged port like 80.) setuid
> and setgid can be integers (the actual IDs) or strings (for the user
> and group name respectively)."
>
> Forgive me if this is obvious, but I don't understand. In order to
> start the server from lisp running as a regular user, I have to
> specify a port. If I specify :port 80, it fails with an error
> message that the port is priviliged. So, I don't see how I could
> change setuid and setgid "after the server has been started". I see
> that in the UNIX package there are two functions: 'setuidexec and
> 'setgidexec. Would it work to call these *before* starting the
> server?
[Please use the mailing list.]
You start the Lisp image as root, load Hunchentoot, then call
START-SERVER with the corresponding setuid/setgid arguments. That's
basically how Apache and other apps do it as well (or AllegroServe).
Cheers,
Edi.
More information about the Tbnl-devel
mailing list