[Rack] Baron Security

Michael C. Toren mct at toren.net
Tue Jan 22 20:01:01 UTC 2013


On Tue, Jan 22, 2013 at 11:40:13AM -0800, Jonathan Lassoff wrote:
> I think that user "baron" should have access to this by being in the
> "dialout" group.
> 
> `--> id baron
> uid=31516(baron) gid=100(users) groups=100(users),20(dialout),124(barons)
> 
> `--> ls -l /dev/ttyS5
> crw-rw---- 1 root dialout 4, 69 Jan 22 11:37 /dev/ttyS5

The baron process isn't in the dialout group, though.  upstart needs to
call setgroups() to add it to the supplementary groups before dropping root
privileges.  Unfortunately, it looks like upstart lacks that capability:

	https://bugs.launchpad.net/upstart/+bug/812870

(We could write a silly little C program to run as root that would call
setgid(), setgroups(), and setuid() before exec()ing baron, but I suspect
there's some standard-ish utility that does this already which we could
utilize.)

-mct


More information about the Rack mailing list