On Wed, 17 Jan 2007 11:24:03 +0200, Nico de Jager ndj@hivsa.com wrote:
Form the Hunchentoot documentation: "On Unix you can use setuid and setgid to change the UID and GID of the process directly after the server has been started. (You might want to do this if you're using a privileged port like 80.) setuid and setgid can be integers (the actual IDs) or strings (for the user and group name respectively)."
Does this work on Linux?
Works for me - see below.
Will this change the uid and gid of the running lisp image or only of certain threads?
It calls setuid(2) and setgid(2) respectively which set the values "of the current process" - see the man pages.
In my instance, I start my LispWorks image as root in order to start the server on port 443, and then wish to change the Hunchentoot image to a uid/gid with less privileges. Supplying the :setuid and :setgid parameters have no effect, though, the uid is still shown as root with ps/top.
CL-USER 13 > (lisp-implementation-type) "LispWorks"
CL-USER 14 > (lisp-implementation-version) "5.0.1"
CL-USER 15 > (software-type) "Linux"
CL-USER 16 > (software-version) "2.6.17-2-686"
CL-USER 17 > (sys:call-system-showing-output "id") ; id ; uid=0(root) gid=0(root) groups=0(root) 0
CL-USER 18 > (hunchentoot:start-server :port 80 :setuid "edi" :setgid "users") #<HUNCHENTOOT::SERVER 200D45AF>
CL-USER 19 > (sys:call-system-showing-output "id") ; id ; uid=1000(edi) gid=100(users) groups=0(root) 0
CL-USER 20 > (hunchentoot:start-server :port 81)
Error: Failed to create socket. Syscall BIND failed: Permission denied (13). 1 (abort) Quit process.
Type :b for backtrace, :c <option number> to proceed, or :? for other options