From 1a76c4816fecd5166ab024207622ac017d6fe9da Mon Sep 17 00:00:00 2001 From: Chris Lumens Date: Wed, 1 Aug 2018 10:57:53 -0400 Subject: [PATCH] Run as root/weldr by default. We need to be root to read the certificates that give access to the package repos. Right now, the alternative seems to be changing permissions on the certs themselves, which seems less good. We're running anaconda as root anyway. (cherry picked from commit 022e9eba3e78d2ccb2bb1ea515e16932de5c201f) --- src/pylorax/api/cmdline.py | 7 +++++-- src/sbin/lorax-composer | 3 ++- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/src/pylorax/api/cmdline.py b/src/pylorax/api/cmdline.py index 035701a0..c4f09a9f 100644 --- a/src/pylorax/api/cmdline.py +++ b/src/pylorax/api/cmdline.py @@ -22,6 +22,9 @@ import argparse from pylorax import vernum +DEFAULT_USER = "root" +DEFAULT_GROUP = "weldr" + version = "{0}-{1}".format(os.path.basename(sys.argv[0]), vernum) def lorax_composer_parser(): @@ -32,9 +35,9 @@ def lorax_composer_parser(): parser.add_argument("--socket", default="/run/weldr/api.socket", metavar="SOCKET", help="Path to the socket file to listen on") - parser.add_argument("--user", default="weldr", metavar="USER", + parser.add_argument("--user", default=DEFAULT_USER, metavar="USER", help="User to use for reduced permissions") - parser.add_argument("--group", default="weldr", metavar="GROUP", + parser.add_argument("--group", default=DEFAULT_GROUP, metavar="GROUP", help="Group to set ownership of the socket to") parser.add_argument("--log", dest="logfile", default="/var/log/lorax-composer/composer.log", metavar="LOG", help="Path to logfile (/var/log/lorax-composer/composer.log)") diff --git a/src/sbin/lorax-composer b/src/sbin/lorax-composer index 37496a0a..581c2282 100755 --- a/src/sbin/lorax-composer +++ b/src/sbin/lorax-composer @@ -244,7 +244,8 @@ if __name__ == '__main__': start_queue_monitor(server.config["COMPOSER_CFG"], uid, gid) - # Drop root privileges on the main process + # Change user and group on the main process. Note that this still happens even if + # --user and --group were passed in, but changing to the same user should be fine. os.setgid(gid) os.setuid(uid) log.debug("user is now %s:%s", os.getresuid(), os.getresgid())