From 96c29ee3c7bee26237aaa0e76517aaaf6bb8bfa9 Mon Sep 17 00:00:00 2001
From: Eric Wong <normalperson@yhbt.net>
Date: Mon, 13 Apr 2009 12:01:48 -0700
Subject: Configurator: add example for user/group switching

I don't advocate running Unicorn on unprivileged ports anyways
since Unicorn should never be exposed directly to public
clients.
---
 lib/unicorn/configurator.rb | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/lib/unicorn/configurator.rb b/lib/unicorn/configurator.rb
index 548c239..b27121e 100644
--- a/lib/unicorn/configurator.rb
+++ b/lib/unicorn/configurator.rb
@@ -104,6 +104,20 @@ module Unicorn
     #    # per-worker ports can be taken, necessitating another
     #    # HUP after QUIT-ing the original master:
     #    server.listen("127.0.0.1:#{9293 + worker.nr}") rescue nil
+    #
+    #    # drop permissions to "www-data" in the worker
+    #    # generally there's no reason to start Unicorn as a priviledged user
+    #    # as it is not recommended to expose Unicorn to public clients.
+    #    uid, gid = Process.euid, Process.egid
+    #    user, group = 'www-data', 'www-data'
+    #    target_uid = Etc.getpwnam(user).uid
+    #    target_gid = Etc.getgrnam(group).gid
+    #    worker.tempfile.chown(target_uid, target_gid)
+    #    if uid != target_uid || gid != target_gid
+    #      Process.initgroups(user, target_gid)
+    #      Process::GID.change_privilege(target_gid)
+    #      Process::UID.change_privilege(target_uid)
+    #    end
     #  end
     def after_fork(*args, &block)
       set_hook(:after_fork, block_given? ? block : args[0])
-- 
cgit v1.2.3-24-ge0c7