From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS40173 67.222.241.0/24 X-Spam-Status: No, score=-3.7 required=3.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW shortcircuit=no autolearn=ham autolearn_force=no version=3.4.1 Received: from smtp-out-1.mxes.net (smtp-out-1.mxes.net [67.222.241.250]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by dcvr.yhbt.net (Postfix) with ESMTPS id 461DA1F404 for ; Thu, 13 Sep 2018 19:24:53 +0000 (UTC) Received: from Customer-MUA (mua.mxes.net [10.0.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id 0ABAA27506 for ; Thu, 13 Sep 2018 15:24:51 -0400 (EDT) Received: from jeremyevans.local (battleground.jeremyevans.local [10.187.8.1]) by battleground.jeremyevans.local (OpenSMTPD) with ESMTPS id 38900d7f (TLSv1.2:ECDHE-RSA-CHACHA20-POLY1305:256:NO) for ; Thu, 13 Sep 2018 12:24:50 -0700 (PDT) Date: Thu, 13 Sep 2018 12:24:49 -0700 From: Jeremy Evans To: unicorn-public@bogomips.org Subject: Make Worker#user support different process primary group and log file group Message-ID: <20180913192449.GE48926@jeremyevans.local> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.10.1 (2018-07-13) X-Sent-To: X-Sender: jeremyevans.net List-Id: This patch allows Worker#user to accept the group argument as an array of two strings, the first string being the process primary group, and the second string being the group that owns the log files. This can help when you have a large number of applications that use unique primary groups, and want to have a user with the ability to read the log files for any of the applications, especially if you are on an operating system that only supports a small number of groups per user. Thanks, Jeremy >From 780bd79d2f1fd40e7daae969ff482c3fd9d58ad7 Mon Sep 17 00:00:00 2001 From: Jeremy Evans Date: Thu, 13 Sep 2018 11:16:38 -0700 Subject: [PATCH] Make Worker#user support different process primary group and log file group Previously, Unicorn always used the process's primary group as the the group of the log file. However, there are reasons to use a separate group for the log files, such as when you have many applications where each application uses it's own user and primary group, but you want to be able to have a user read the log files for all applications. Some operating systems have a fairly small limit on the number of groups per user, and it may not be feasible to have a user be in the primary group for all applications. a primary group --- lib/unicorn/worker.rb | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/lib/unicorn/worker.rb b/lib/unicorn/worker.rb index 68de17e..5ddf379 100644 --- a/lib/unicorn/worker.rb +++ b/lib/unicorn/worker.rb @@ -122,6 +122,11 @@ def close # :nodoc: # the +after_fork+ hook after any privileged functions need to be # run (e.g. to set per-worker CPU affinity, niceness, etc) # + # +group+ can be specified as a string, or as an array of two + # strings. If an array of two strings is given, the first string + # is used as the primary group of the process, and the second is + # used as the group of the log files. + # # Any and all errors raised within this method will be propagated # directly back to the caller (usually the +after_fork+ hook. # These errors commonly include ArgumentError for specifying an @@ -134,8 +139,17 @@ def user(user, group = nil, chroot = false) # insufficient because modern systems have fine-grained # capabilities. Let the caller handle any and all errors. uid = Etc.getpwnam(user).uid - gid = Etc.getgrnam(group).gid if group - Unicorn::Util.chown_logs(uid, gid) + + if group + if group.is_a?(Array) + group, log_group = group + log_gid = Etc.getgrnam(log_group).gid + end + gid = Etc.getgrnam(group).gid + log_gid ||= gid + end + + Unicorn::Util.chown_logs(uid, log_gid) if gid && Process.egid != gid Process.initgroups(user, gid) Process::GID.change_privilege(gid) -- 2.17.1