| 306 | | |
|---|
| 307 | | def drop_privileges(new_user='nobody', new_group='nogroup'): |
|---|
| 308 | | """Drop privileges. UNIX only.""" |
|---|
| 309 | | # Special thanks to Gavin Baker: http://antonym.org/node/100. |
|---|
| 310 | | |
|---|
| 311 | | import pwd, grp |
|---|
| 312 | | |
|---|
| 313 | | def names(): |
|---|
| 314 | | return pwd.getpwuid(os.getuid())[0], grp.getgrgid(os.getgid())[0] |
|---|
| 315 | | name, group = names() |
|---|
| 316 | | cherrypy.log('Started as %r/%r' % (name, group), "PRIV") |
|---|
| 317 | | |
|---|
| 318 | | if os.getuid() != 0: |
|---|
| 319 | | # We're not root so, like, whatever dude. |
|---|
| 320 | | cherrypy.log("Already running as %r" % name, "PRIV") |
|---|
| 321 | | return |
|---|
| 322 | | |
|---|
| 323 | | # Try setting the new uid/gid (from new_user/new_group). |
|---|
| 324 | | try: |
|---|
| 325 | | os.setgid(grp.getgrnam(new_group)[2]) |
|---|
| 326 | | except OSError, e: |
|---|
| 327 | | cherrypy.log('Could not set effective group id: %r' % e, "PRIV") |
|---|
| 328 | | |
|---|
| 329 | | try: |
|---|
| 330 | | os.setuid(pwd.getpwnam(new_user)[2]) |
|---|
| 331 | | except OSError, e: |
|---|
| 332 | | cherrypy.log('Could not set effective user id: %r' % e, "PRIV") |
|---|
| 333 | | |
|---|
| 334 | | # Ensure a very convervative umask |
|---|
| 335 | | old_umask = os.umask(077) |
|---|
| 336 | | cherrypy.log('Old umask: %o, new umask: 077' % old_umask, "PRIV") |
|---|
| 337 | | cherrypy.log('Running as %r/%r' % names(), "PRIV") |
|---|
| 338 | | |
|---|
