On 20 Dec 2004 17:23:18 -0600, Garrett Rolfs wrote:

I fear I'm missing something basic and overlooked something already documented. Hopefully someone will set me straight. I'm attempting to play with MoinMoin using twisted as the webserver. I'm running on linux using python 2.3.4 and twisted 1.3.0 as a nonroot user. When I attempt to start MoinMoin, I see the following in the log: [snip]

Your logged in shell is running with more permissions than your system is configured to allow you to have. Perhaps someone recently edited your /etc/groups file or something similar. Logging all the way out and back in should give you an environment in which twistd will start up for you. If you ran across this without passing uid= or gid= to Application(), this is probably a twistd bug. If you didn't, it's just an undesirable deployment complication with bad error reporting. Both should be fixed, of course :) Jp

Eugene Coetzee writes:

Jp Calderone wrote:

...

Your logged in shell is running with more permissions than your system is configured to allow you to have. Perhaps someone recently edited your /etc/groups file or something similar. Logging all the way out and back in should give you an environment in which twistd will start up for you.

Thank you for the clue. Indeed that appears to be the problem. I looked at my /etc/passwd entry and I am in my own "personal" group. My site has linux clients that authenticate against AFS. Every user has their own group to minimize the exposure allowing unanticipated access to local (non-AFS) directories and files. Anyway, back to the main topic... I executed the id command and noticed I am in groups not listed in /etc/passwd. Also, I shouldn't be in these groups because they are "personal" groups for other users. Hence, I have sent an email to our internal support org.

Don't know if it is a bug - or something todo with shell privileges. I have seen the same thing migrating recently from Slackware 9.1 to Slackware 10.0.

Since I'm using the same version of Twisted and Python on both versions of Slack (9.1 and 10.0) - logic seems to point in the direction of the distro or some GNU library related issue.

The id command may shed some light to what is different, at least it did for me. Thanks for the feedback. -Garrett Rolfs

On Jan 28, 2005, at 9:26 AM, Chris Hanson wrote:

I'd like to get this fixed, either by some kind of patch, or by a workaround. Does anyone on the list have any ideas about this?

The right fix is to never try to change or verify the groups list when not instructed to change userids. Currently twistd defaults its uid/gid arguments to the current user's UID/GID, and attempts to setuid/setgid/initialize groups appropriately, which is silly. See also http://twistedmatrix.com/bugs/issue600. A quick fix is to comment out twisted/scripts/twistd.py:160: shedPrivileges(config['euid'], process.uid, process.gid) which is useless when not running as root. James

Itamar Shtull-Trauring writes:

On Fri, 2005-01-28 at 11:04 -0500, James Y Knight wrote:

...

A quick fix is to comment out twisted/scripts/twistd.py:160: shedPrivileges(config['euid'], process.uid, process.gid) which is useless when not running as root.

Can we get in a long term fix for 2.0?

That would be great. It turns out my problem is/was the same as the folks at MIT. My linux box is an AFS client. A person in my department that is our resident AFS expert informed me that AFS uses the first 2 group slots to store the AFS PAG (Process Authentication Group) identifier for the user. This is for 2.4 and older kernels. I don't know if it is the same for 2.6 kernels. I know the OpenAFS folks are in the process of redoing PAGs because of 2.6 kernel changes. For now. Commenting out the the call to shedPrivileges works for me. -Garrett Rolfs