Run as root/weldr by default.

We need to be root to read the certificates that give access to the
package repos.  Right now, the alternative seems to be changing
permissions on the certs themselves, which seems less good.  We're
running anaconda as root anyway.
This commit is contained in:
Chris Lumens 2018-08-01 10:57:53 -04:00 committed by Brian C. Lane
parent 6612b3e0a8
commit dbc4d08de4
2 changed files with 7 additions and 3 deletions

View File

@ -22,6 +22,9 @@ import argparse
from pylorax import vernum from pylorax import vernum
DEFAULT_USER = "root"
DEFAULT_GROUP = "weldr"
version = "{0}-{1}".format(os.path.basename(sys.argv[0]), vernum) version = "{0}-{1}".format(os.path.basename(sys.argv[0]), vernum)
def lorax_composer_parser(): def lorax_composer_parser():
@ -32,9 +35,9 @@ def lorax_composer_parser():
parser.add_argument("--socket", default="/run/weldr/api.socket", metavar="SOCKET", parser.add_argument("--socket", default="/run/weldr/api.socket", metavar="SOCKET",
help="Path to the socket file to listen on") help="Path to the socket file to listen on")
parser.add_argument("--user", default="weldr", metavar="USER", parser.add_argument("--user", default=DEFAULT_USER, metavar="USER",
help="User to use for reduced permissions") help="User to use for reduced permissions")
parser.add_argument("--group", default="weldr", metavar="GROUP", parser.add_argument("--group", default=DEFAULT_GROUP, metavar="GROUP",
help="Group to set ownership of the socket to") help="Group to set ownership of the socket to")
parser.add_argument("--log", dest="logfile", default="/var/log/lorax-composer/composer.log", metavar="LOG", parser.add_argument("--log", dest="logfile", default="/var/log/lorax-composer/composer.log", metavar="LOG",
help="Path to logfile (/var/log/lorax-composer/composer.log)") help="Path to logfile (/var/log/lorax-composer/composer.log)")

View File

@ -234,7 +234,8 @@ if __name__ == '__main__':
start_queue_monitor(server.config["COMPOSER_CFG"], uid, gid) start_queue_monitor(server.config["COMPOSER_CFG"], uid, gid)
# Drop root privileges on the main process # Change user and group on the main process. Note that this still happens even if
# --user and --group were passed in, but changing to the same user should be fine.
os.setgid(gid) os.setgid(gid)
os.setuid(uid) os.setuid(uid)
log.debug("user is now %s:%s", os.getresuid(), os.getresgid()) log.debug("user is now %s:%s", os.getresuid(), os.getresgid())