Archived
This forum has been archived. Please start a new discussion on GitHub.
Icegrid server activation - session user permissions
Hi,
Some of our servers are session activated (icegrid / glacier2). The server process spawns on request and runs as the session user.
For some reason, the server process does not know to which groups this user belongs.
When I execute the linux system command "groups" from within this server, it shows the group of the user itself, and also "root", but not the groups to which the user actually belongs to.
Although, the session user id and effective user id of this server's process are correct. (getuid and geteuid)
I'd like to use the linux group permissions of the session user running the server, but currently this is not working as I expected.
Maybe I missed some setting in icegrid? Please advice...
Thank you very much,
Wout
Some of our servers are session activated (icegrid / glacier2). The server process spawns on request and runs as the session user.
For some reason, the server process does not know to which groups this user belongs.
When I execute the linux system command "groups" from within this server, it shows the group of the user itself, and also "root", but not the groups to which the user actually belongs to.
Although, the session user id and effective user id of this server's process are correct. (getuid and geteuid)
I'd like to use the linux group permissions of the session user running the server, but currently this is not working as I expected.
Maybe I missed some setting in icegrid? Please advice...
Thank you very much,
Wout
0
Comments
-
This is running on an older version of Ice (3.3.1), we're currently setting up an environment to test this with Ice 3.4.2
With IceGrid.Node.Trace.Activator=2, I can verify that the uid/gid of the server is correct.
The problem is, the user belongs to multiple groups to provide additional permissions.
Consider a file, only writeable by the owner, and by members of group "admins".
The user which will be running the server process belongs to the group "admins", but is not the owner of the file.
* When I start the server from a terminal, logged in as that user, the permissions are correct for the user and "all" the groups to which the user belongs, so it can write to the file.
* When the server is spawned by the icegrid node as the session user, the server process only knows about the user's default group, and the process cannot write to the file.
In both cases, they have the same uid/gid.
Thanks again for your help...0 -
Hi,
I'm afraid this is currently a limitation of the IceGrid node, it doesn't setup the supplementary groups after forking the process so only the primary group is used for checking permissions on files. I'll add improving this to our TODO list. In the meantime, you might be able to workaround the issue by using ACLs if ACLs are available on your Linux system. If you would like us to provide you with a fix rather than waiting for this to be included in an upcoming release, please contact us at info@zeroc.com.
Cheers,
Benoit.0
