Forum: Ruby-core [ruby-trunk - Feature #6975][Open] Changing UID/GID when calling spawn/popen

Issue #6975 has been reported by vihai (Daniele Orlandi).

----------------------------------------
Feature #6975: Changing UID/GID when calling spawn/popen
https://bugs.ruby-lang.org/issues/6975

Author: vihai (Daniele Orlandi)
Status: Open
Priority: Normal
Assignee:
Category:
Target version:



Hello,

If I am not wrong it seems that there is no way to properly drop all 
privileges when spawning a process with spawn/popen.

AFAIK, proper privilege dropping should be done after the fork() and 
before the exec() and there doesn't seem to be such functionality 
neither an hook like Python has.

Thanks,
Bye,

Issue #6975 has been updated by nobu (Nobuyoshi Nakada).

Description updated
Category set to core
Assignee set to akira (akira yamada)

Here is a patch
  https://github.com/nobu/ruby/compare/uid-gid_exec_options

But I have no ideas how to test this feature.
----------------------------------------
Feature #6975: Changing UID/GID when calling spawn/popen
https://bugs.ruby-lang.org/issues/6975#change-29169

Author: vihai (Daniele Orlandi)
Status: Open
Priority: Normal
Assignee: akira (akira yamada)
Category: core
Target version:


Hello,

If I am not wrong it seems that there is no way to properly drop all 
privileges when spawning a process with spawn/popen.

AFAIK, proper privilege dropping should be done after the fork() and 
before the exec() and there doesn't seem to be such functionality 
neither an hook like Python has.

Thanks,
Bye,

Issue #6975 has been updated by akr (Akira Tanaka).

Assignee changed from akira (akira yamada) to akr (Akira Tanaka)

posix_spawn has an option to dropping privileges: POSIX_SPAWN_RESETIDS

I guess primitive setuid/setgid is too generic for this use case.


----------------------------------------
Feature #6975: Changing UID/GID when calling spawn/popen
https://bugs.ruby-lang.org/issues/6975#change-29170

Author: vihai (Daniele Orlandi)
Status: Open
Priority: Normal
Assignee: akr (Akira Tanaka)
Category: core
Target version:


Hello,

If I am not wrong it seems that there is no way to properly drop all 
privileges when spawning a process with spawn/popen.

AFAIK, proper privilege dropping should be done after the fork() and 
before the exec() and there doesn't seem to be such functionality 
neither an hook like Python has.

Thanks,
Bye,

Issue #6975 has been updated by vihai (Daniele Orlandi).


Thank you very much!

However it would useful and recommendable if spawn could also initialize 
additional groups, either directly via setgroups(2) or via initgroups(3)

Do you agree?
Should I create a new feature request?
----------------------------------------
Feature #6975: Changing UID/GID when calling spawn/popen
https://bugs.ruby-lang.org/issues/6975#change-35997

Author: vihai (Daniele Orlandi)
Status: Closed
Priority: Normal
Assignee: akr (Akira Tanaka)
Category: core
Target version:


Hello,

If I am not wrong it seems that there is no way to properly drop all 
privileges when spawning a process with spawn/popen.

AFAIK, proper privilege dropping should be done after the fork() and 
before the exec() and there doesn't seem to be such functionality 
neither an hook like Python has.

Thanks,
Bye,

Issue #6975 has been updated by kosaki (Motohiro KOSAKI).


> Should I create a new feature request?

Yes, please make another ticket.

----------------------------------------
Feature #6975: Changing UID/GID when calling spawn/popen
https://bugs.ruby-lang.org/issues/6975#change-36034

Author: vihai (Daniele Orlandi)
Status: Closed
Priority: Normal
Assignee: akr (Akira Tanaka)
Category: core
Target version:


Hello,

If I am not wrong it seems that there is no way to properly drop all 
privileges when spawning a process with spawn/popen.

AFAIK, proper privilege dropping should be done after the fork() and 
before the exec() and there doesn't seem to be such functionality 
neither an hook like Python has.

Thanks,
Bye,