[Twisted-Python] Starting MoinMoin as nonroot Linux User
I fear I'm missing something basic and overlooked something already documented. Hopefully someone will set me straight. I'm attempting to play with MoinMoin using twisted as the webserver. I'm running on linux using python 2.3.4 and twisted 1.3.0 as a nonroot user. When I attempt to start MoinMoin, I see the following in the log: 2004/12/20 17:05 CST [-] Starting factory <MoinMoin.server.twistedmoin.MoinSite instance at 0x40a070ec> 2004/12/20 17:05 CST [-] Traceback (most recent call last): 2004/12/20 17:05 CST [-] File "/home/stage3/bin/twistd", line 36, in ? 2004/12/20 17:05 CST [-] run() 2004/12/20 17:05 CST [-] File "/home/stage3/lib/python2.3/site-packages/twisted/scripts/twistd.py", line 184, in run 2004/12/20 17:05 CST [-] app.run(runApp, ServerOptions) 2004/12/2017:05 CST [-] File "/home/stage3/lib/python2.3/site-packages/twisted/application/app.py", line 205, in run 2004/12/20 17:05 CST [-] runApp(config) 2004/12/20 17:05 CST [-] File "/home/stage3/lib/python2.3/site-packages/twisted/scripts/twistd.py", line 175, in runApp 2004/12/20 17:05 CST [-] startApplication(config, application) 2004/12/20 17:05 CST [-] File "/home/stage3/lib/python2.3/site-packages/twisted/scripts/twistd.py", line 160, in startApplication 2004/12/20 17:05 CST [-] shedPrivileges(config['euid'], process.uid, process.gid) 2004/12/20 17:05 CST [-] File "/home/stage3/lib/python2.3/site-packages/twisted/scripts/twistd.py", line 134, in shedPrivileges 2004/12/20 17:05 CST [-] switchUID(uid, gid, euid) 2004/12/20 17:05 CST [-] File "/home/stage3/lib/python2.3/site-packages/twisted/python/util.py", line 606, in switchUID 2004/12/20 17:05 CST [-] initgroups(uid, gid) 2004/12/20 17:05 CST [-] File "/home/stage3/lib/python2.3/site-packages/twisted/python/util.py", line 584, in initgroups 2004/12/20 17:05 CST [-] setgroups(l) 2004/12/20 17:05 CST [-] OSError: [Errno 1] Operation not permitted I am merely experimenting and I would like to run without being root. Is it possible? Thanks, -Garrett Rolfs
On 20 Dec 2004 17:23:18 -0600, Garrett Rolfs <stage3@us.ibm.com> wrote:
I fear I'm missing something basic and overlooked something already documented. Hopefully someone will set me straight. I'm attempting to play with MoinMoin using twisted as the webserver. I'm running on linux using python 2.3.4 and twisted 1.3.0 as a nonroot user. When I attempt to start MoinMoin, I see the following in the log: [snip]
Your logged in shell is running with more permissions than your system is configured to allow you to have. Perhaps someone recently edited your /etc/groups file or something similar. Logging all the way out and back in should give you an environment in which twistd will start up for you. If you ran across this without passing uid= or gid= to Application(), this is probably a twistd bug. If you didn't, it's just an undesirable deployment complication with bad error reporting. Both should be fixed, of course :) Jp
Jp Calderone wrote:
On 20 Dec 2004 17:23:18 -0600, Garrett Rolfs <stage3@us.ibm.com> wrote:
I fear I'm missing something basic and overlooked something already documented. Hopefully someone will set me straight. I'm attempting to play with MoinMoin using twisted as the webserver. I'm running on linux using python 2.3.4 and twisted 1.3.0 as a nonroot user. When I attempt to start MoinMoin, I see the following in the log: [snip]
Your logged in shell is running with more permissions than your system is configured to allow you to have. Perhaps someone recently edited your /etc/groups file or something similar. Logging all the way out and back in should give you an environment in which twistd will start up for you.
If you ran across this without passing uid= or gid= to Application(), this is probably a twistd bug. If you didn't, it's just an undesirable deployment complication with bad error reporting. Both should be fixed, of course :)
Don't know if it is a bug - or something todo with shell privileges. I have seen the same thing migrating recently from Slackware 9.1 to Slackware 10.0. Since I'm using the same version of Twisted and Python on both versions of Slack (9.1 and 10.0) - logic seems to point in the direction of the distro or some GNU library related issue. regards, Eugene Coetzee Web -> www.reedflute.com ===============================================
Eugene Coetzee <projects@reedflute.com> writes:
Jp Calderone wrote:
Your logged in shell is running with more permissions than your system is configured to allow you to have. Perhaps someone recently edited your /etc/groups file or something similar. Logging all the way out and back in should give you an environment in which twistd will start up for you.
Thank you for the clue. Indeed that appears to be the problem. I looked at my /etc/passwd entry and I am in my own "personal" group. My site has linux clients that authenticate against AFS. Every user has their own group to minimize the exposure allowing unanticipated access to local (non-AFS) directories and files. Anyway, back to the main topic... I executed the id command and noticed I am in groups not listed in /etc/passwd. Also, I shouldn't be in these groups because they are "personal" groups for other users. Hence, I have sent an email to our internal support org.
Don't know if it is a bug - or something todo with shell privileges. I have seen the same thing migrating recently from Slackware 9.1 to Slackware 10.0.
Since I'm using the same version of Twisted and Python on both versions of Slack (9.1 and 10.0) - logic seems to point in the direction of the distro or some GNU library related issue.
The id command may shed some light to what is different, at least it did for me. Thanks for the feedback. -Garrett Rolfs
Date: Mon Dec 20 21:02:04 2004 From: stage3 at us.ibm.com (Garrett Rolfs) I fear I'm missing something basic and overlooked something already documented. Hopefully someone will set me straight. I'm attempting to play with MoinMoin using twisted as the webserver. I'm running on linux using python 2.3.4 and twisted 1.3.0 as a nonroot user. When I attempt to start MoinMoin, I see the following in the log: I am seeing the same problem with an online tutorial system being developed here at MIT. The problem is directly related to the use of AFS, which adds two high-numbered groups to the user's list, as reported by "id -G". If I authenticate using standard passwords, those groups aren't present and Twisted starts fine. This is an urgent problem for us. Next week, we will start teaching a class that uses this system. Since AFS is in widespread use here at MIT, the students will be using AFS for their home directories. I'd like to get this fixed, either by some kind of patch, or by a workaround. Does anyone on the list have any ideas about this? The only thing I can think of doing is to change initgroups to filter out the bad groups. Thanks, Chris
On Jan 28, 2005, at 9:26 AM, Chris Hanson wrote:
I'd like to get this fixed, either by some kind of patch, or by a workaround. Does anyone on the list have any ideas about this?
The right fix is to never try to change or verify the groups list when not instructed to change userids. Currently twistd defaults its uid/gid arguments to the current user's UID/GID, and attempts to setuid/setgid/initialize groups appropriately, which is silly. See also http://twistedmatrix.com/bugs/issue600. A quick fix is to comment out twisted/scripts/twistd.py:160: shedPrivileges(config['euid'], process.uid, process.gid) which is useless when not running as root. James
On Fri, 2005-01-28 at 11:04 -0500, James Y Knight wrote:
A quick fix is to comment out twisted/scripts/twistd.py:160: shedPrivileges(config['euid'], process.uid, process.gid) which is useless when not running as root.
Can we get in a long term fix for 2.0?
Itamar Shtull-Trauring <itamar@itamarst.org> writes:
On Fri, 2005-01-28 at 11:04 -0500, James Y Knight wrote:
A quick fix is to comment out twisted/scripts/twistd.py:160: shedPrivileges(config['euid'], process.uid, process.gid) which is useless when not running as root.
Can we get in a long term fix for 2.0?
That would be great. It turns out my problem is/was the same as the folks at MIT. My linux box is an AFS client. A person in my department that is our resident AFS expert informed me that AFS uses the first 2 group slots to store the AFS PAG (Process Authentication Group) identifier for the user. This is for 2.4 and older kernels. I don't know if it is the same for 2.6 kernels. I know the OpenAFS folks are in the process of redoing PAGs because of 2.6 kernel changes. For now. Commenting out the the call to shedPrivileges works for me. -Garrett Rolfs
participants (6)
-
Chris Hanson
-
Eugene Coetzee
-
Garrett Rolfs
-
Itamar Shtull-Trauring
-
James Y Knight
-
Jp Calderone