[Twisted-Python] Log file ownership
Hi, I am running an app as root on Linux using a .tac file and twistd. The application object is initialized with a certain gid and uid. Logging is configured to rotate daily by way of DailyLogFile. However, the log file it creates is owned by root with 600 file permission and log rotation is failing. I have read about acl to configure default file permissions but is there a way to solve this only in Twisted? --Enrique
On 06/06/2012 08:46 PM, Enrique Samson Jr, wrote:
Hi,
I am running an app as root on Linux using a .tac file and twistd. The application object is initialized with a certain gid and uid. Logging is configured to rotate daily by way of DailyLogFile. However, the log file it creates is owned by root with 600 file permission and log rotation is failing. I have read about acl to configure default file permissions but is there a way to solve this only in Twisted?
Perhaps someone else can comment on what might be a bug, but one thing to do is to run your program directly as the uid and gid you want (rather than than root). Since presumably the goal is to bind to a port <1024, you can do that instead using authbind (http://manpages.ubuntu.com/manpages/hardy/man1/authbind.1.html).
On 6/7/12 10:27 AM, Itamar Turner-Trauring wrote:
On 06/06/2012 08:46 PM, Enrique Samson Jr, wrote:
Hi,
I am running an app as root on Linux using a .tac file and twistd. The application object is initialized with a certain gid and uid. Logging is configured to rotate daily by way of DailyLogFile. However, the log file it creates is owned by root with 600 file permission and log rotation is failing. I have read about acl to configure default file permissions but is there a way to solve this only in Twisted?
Perhaps someone else can comment on what might be a bug, but one thing to do is to run your program directly as the uid and gid you want (rather than than root).Since presumably the goal is to bind to a port <1024, you can do that instead using authbind (http://manpages.ubuntu.com/manpages/hardy/man1/authbind.1.html). I need to execute ulimit to increase max open files (20K), reason why I'm running this as root.
root). Since presumably the goal is to bind to a port <1024, you can do that instead using authbind (http://manpages.ubuntu.com/manpages/hardy/man1/authbind.1.html).
Just some comments ..
==
For binding ports <1024, there is at least one more option:
Since Linux kernel 2.6.24, the kernel supports associating capability sets with an executable file using setcap(8).
setcap 'cap_net_bind_service=+ep'
On 7 Jun, 12:46 am, enriquejr@gmail.com wrote:
Hi,
I am running an app as root on Linux using a .tac file and twistd. The application object is initialized with a certain gid and uid. Logging is configured to rotate daily by way of DailyLogFile. However, the log file it creates is owned by root with 600 file permission and log rotation is failing. I have read about acl to configure default file permissions but is there a way to solve this only in Twisted?
Log rotation - ie, renaming a file - isn't affected by the permissions of the log file. The permissions of the *directory containing the log file* control whether it can be renamed (and a new one created) or not. So it doesn't matter what permissions the log file has. It only matters what permissions you set on the directory holding the log file. That's outside of the control of twistd. Jean-Paul
On Jun 8, 2012, at 5:57 AM, exarkun@twistedmatrix.com wrote:
On 7 Jun, 12:46 am, enriquejr@gmail.com wrote:
Hi,
I am running an app as root on Linux using a .tac file and twistd. The application object is initialized with a certain gid and uid. Logging is configured to rotate daily by way of DailyLogFile. However, the log file it creates is owned by root with 600 file permission and log rotation is failing. I have read about acl to configure default file permissions but is there a way to solve this only in Twisted?
Log rotation - ie, renaming a file - isn't affected by the permissions of the log file. The permissions of the *directory containing the log file* control whether it can be renamed (and a new one created) or not.
So it doesn't matter what permissions the log file has. It only matters what permissions you set on the directory holding the log file. That's outside of the control of twistd.
Perhaps twistd could emit a warning at startup though, and decline to rotate the log if it's impossible rather than logging an ugly traceback?
Log rotation - ie, renaming a file - isn't affected by the permissions of the log file. The permissions of the *directory containing the log file* control whether it can be renamed (and a new one created) or not.
So it doesn't matter what permissions the log file has. It only matters what permissions you set on the directory holding the log file. That's outside of the control of twistd.
http://twistedmatrix.com/trac/browser/tags/releases/twisted- 12.0.0/twisted/python/logfile.py#L286 def rotate(self): if not (os.access(self.directory, os.W_OK) and os.access(self.path, os.W_OK)): return it seems to also need write access to log file. bye, flavio
Jean-Paul
On Jun 11, 2012, at 12:21 AM, Flavio Grossi wrote:
writes: Log rotation - ie, renaming a file - isn't affected by the permissions of the log file. The permissions of the *directory containing the log file* control whether it can be renamed (and a new one created) or not.
So it doesn't matter what permissions the log file has. It only matters what permissions you set on the directory holding the log file. That's outside of the control of twistd.
http://twistedmatrix.com/trac/browser/tags/releases/twisted- 12.0.0/twisted/python/logfile.py#L286
def rotate(self): if not (os.access(self.directory, os.W_OK) and os.access(self.path, os.W_OK)): return
it seems to also need write access to log file.
It's a pity that this code wasn't commented. I can't find a platform where moving the file needs write access. File a bug? (Just another example of why LBYL is an antipattern...) -glyph
You can also bind to privileged ports now using listeners like systemd (and, presumably xinetd). -- David Strauss | david@davidstrauss.net
On Jun 26, 2012, at 6:49 PM, David Strauss
You can also bind to privileged ports now using listeners like systemd (and, presumably xinetd).
xinetd has some mechanism to pass the listening socket, but I don't think Twisted supports it yet. I believe the string endpoint description for systemd is somewhat specific to systemd's idiom for communicating about the socket involved; when we add launchd support, launchd is kinda specific too; see http://tm.tl/5576. Any xinetd users want to do one for that daemon? -glyph
participants (7)
-
David Strauss -
Enrique Samson Jr, -
exarkun@twistedmatrix.com -
Flavio Grossi -
Glyph -
Itamar Turner-Trauring -
Tobias Oberstein