diff --git a/src/pylorax/api/cmdline.py b/src/pylorax/api/cmdline.py index 035701a0..c4f09a9f 100644 --- a/src/pylorax/api/cmdline.py +++ b/src/pylorax/api/cmdline.py @@ -22,6 +22,9 @@ import argparse from pylorax import vernum +DEFAULT_USER = "root" +DEFAULT_GROUP = "weldr" + version = "{0}-{1}".format(os.path.basename(sys.argv[0]), vernum) def lorax_composer_parser(): @@ -32,9 +35,9 @@ def lorax_composer_parser(): parser.add_argument("--socket", default="/run/weldr/api.socket", metavar="SOCKET", help="Path to the socket file to listen on") - parser.add_argument("--user", default="weldr", metavar="USER", + parser.add_argument("--user", default=DEFAULT_USER, metavar="USER", help="User to use for reduced permissions") - parser.add_argument("--group", default="weldr", metavar="GROUP", + parser.add_argument("--group", default=DEFAULT_GROUP, metavar="GROUP", help="Group to set ownership of the socket to") parser.add_argument("--log", dest="logfile", default="/var/log/lorax-composer/composer.log", metavar="LOG", help="Path to logfile (/var/log/lorax-composer/composer.log)") diff --git a/src/sbin/lorax-composer b/src/sbin/lorax-composer index 37496a0a..581c2282 100755 --- a/src/sbin/lorax-composer +++ b/src/sbin/lorax-composer @@ -244,7 +244,8 @@ if __name__ == '__main__': start_queue_monitor(server.config["COMPOSER_CFG"], uid, gid) - # Drop root privileges on the main process + # Change user and group on the main process. Note that this still happens even if + # --user and --group were passed in, but changing to the same user should be fine. os.setgid(gid) os.setuid(uid) log.debug("user is now %s:%s", os.getresuid(), os.getresgid())