On Mon, 28 Apr 2008 09:38:00 -0300, Miguel Filho email@example.com wrote:
[snip] application = service.Application('apolicy', uid=user, gid=user) serviceCollection = service.IServiceCollection(application)
address, port = config.get("main", "listen").split(":")
internet.TCPServer(int(port), ACLPolicyDaemonFactory(), interface=address).setServiceParent(serviceCollection) ===============================
I'm using twistd to start my daemon, the process starts normally and the owner is the user nobody.
# ps uaxf | grep nobody nobody 29052 0.1 0.6 13140 6440 ? S 09:11 0:01 /usr/bin/python /usr/bin/twistd -y /usr/lib/python2.4/site-packages/apolicy/server.py -q --logfile /var/log/twistd.log --pidfile=/var/run/twistd.pid
My class ACLPolicyDaemonFactory() tries to write a file to test if the path given to my application is writable and has no problems, but the file is created as root. What is the point where the process is already running as nobody?
Privileges aren't shed immediately when Application is created. They're shed after privilegedStartService and before startService. You should delay any potentially sensitive operations until startService (ie, don't do them in ACLPolicyDaemonFactory.__init__ which is when I assume you meant you were opening that file).