Temporarily dropping root access

Hi all,

Say I’ve got a C extension with two rake tasks - ‘build’ and
‘install’. For the build task, if currently being run as root, I would
like it to drop down to, say, the ‘nobody’ user. Obviously, I’m only
talking about Unix here.

I thought I could use Process::UID.switch, but I couldn’t make it work
right. Any ideas?

As to why, building as root can causing linkage problems [1]. This
question was originally brought up on the rubygems tracker, btw. [2]

Thanks,

Dan

[1] Just google for “root” + “linkage problems” if you want details
[2]
http://rubyforge.org/tracker/index.php?func=detail&aid=8820&group_id=126&atid=575

On Sat, 2 Feb 2008 04:23:02 +0900, Daniel B. [email protected]
wrote:

Hi all,

Say I’ve got a C extension with two rake tasks - ‘build’ and
‘install’. For the build task, if currently being run as root, I would
like it to drop down to, say, the ‘nobody’ user. Obviously, I’m only
talking about Unix here.

Generally speaking, you should be able to use setreuid to set the
effective UID to ‘nobody’ while keeping the real UID as root.

(Actually ‘nobody’ may not be a good choice depending on the Unix
flavor; I believe it is something of a special case on HP-UX for
example)

-mental

On Feb 1, 1:05 pm, MenTaLguY [email protected] wrote:

(Actually ‘nobody’ may not be a good choice depending on the Unix
flavor; I believe it is something of a special case on HP-UX for
example)

Oh, and just curious, is there ever a time when you would want to
build as root?

Thanks,

Dan

On Feb 1, 1:05 pm, MenTaLguY [email protected] wrote:

(Actually ‘nobody’ may not be a good choice depending on the Unix
flavor; I believe it is something of a special case on HP-UX for
example)

What would you recommend instead then as the best cross-platform
solution?

Thanks,

Dan

On Sun, 2008-02-03 at 00:37 +0900, John J. wrote:

[…snip…]

Sure!
Many installers run as root, so often building with make would
require sudo,
same can be for rake.
Anytime something needs to write to a directory not owned by the user.

Building as root != installing as root. The build process should
always be able to run as any user, though installation may have to run
with elevated privileges depending on permissions on the target file
system.

Felix

On Feb 1, 2008, at 3:12 PM, Daniel B. wrote:

like it to drop down to, say, the ‘nobody’ user. Obviously, I’m only
build as root?

Thanks,

Dan

Sure!
Many installers run as root, so often building with make would
require sudo,
same can be for rake.
Anytime something needs to write to a directory not owned by the user.

John J. wrote:

same can be for rake.

things with make or rake. If not, then your system has been changed in a
lot of ways.

John, I think you misunderstand. I’m only talking about the build
process, not installation, i.e. the difference between “make” and “make
install”.

Typically, I create two separate Rake tasks, build and install. It would
only be the build task where I would temporarily drop root, then restore
it before it reaches the install task.

Regards,

Dan

On Fri, 01 Feb 2008 16:12:18 -0500, Daniel B. wrote:

Generally speaking, you should be able to use setreuid to set the
effective UID to ‘nobody’ while keeping the real UID as root.

(Actually ‘nobody’ may not be a good choice depending on the Unix
flavor; I believe it is something of a special case on HP-UX for
example)

Oh, and just curious, is there ever a time when you would want to
build as root?

You most likely would not, but you are forced to when installing a
rubygem that built a native module. Another common example of when
people
build occurs frequently when they have to build Linux kernel modules.
For
example, I believe Debian’s module-assistant tool builds modules as
root,
and the ATI driver’s (fglrx) installer does, and I believe that when you
use a pbuilder chroot (an environment that mimics the Debian build
daemons), you’re building as root.

On Feb 2, 2008, at 9:51 AM, fw wrote:

Building as root != installing as root. The build process should
always be able to run as any user, though installation may have to run
with elevated privileges depending on permissions on the target file
system.

Felix

Well, sometimes installers do build something!
But as far as running as root it definitely depends on where the
build takes place and what it needs to do.
It most definitely cannot run as any user on every system.
If it needs to write to a directory without write access for the uid
then you need to run as another user with more privileges.
Normally, you would expect a good make/rake build process to do
everything in a directory already owned under current uid, but that’s
just not always the case.
On OS X for example, you normally do need to run sudo for building
things with make or rake. If not, then your system has been changed
in a lot of ways.

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs