diff options
author | Eric Wong <e@80x24.org> | 2017-03-08 07:14:07 +0000 |
---|---|---|
committer | Eric Wong <e@80x24.org> | 2017-03-08 07:14:07 +0000 |
commit | ff13ad38ba9f83e0dd298be451aac7c75145d33b (patch) | |
tree | bc346fd083c976a9b9f43135b7b086afc8351d4f /lib/unicorn/worker.rb | |
parent | 73e1ce827faad59bfcaff0bc758c8255a5e4f747 (diff) | |
parent | d322345251e15125df896bb8f0a5b53b49a1bf3f (diff) | |
download | unicorn-ff13ad38ba9f83e0dd298be451aac7c75145d33b.tar.gz |
* origin/chroot: Add after_worker_ready configuration option Add support for chroot to Worker#user
Diffstat (limited to 'lib/unicorn/worker.rb')
-rw-r--r-- | lib/unicorn/worker.rb | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/lib/unicorn/worker.rb b/lib/unicorn/worker.rb index 6748a2f..e22c1bf 100644 --- a/lib/unicorn/worker.rb +++ b/lib/unicorn/worker.rb @@ -111,9 +111,11 @@ class Unicorn::Worker # In most cases, you should be using the Unicorn::Configurator#user # directive instead. This method should only be used if you need # fine-grained control of exactly when you want to change permissions - # in your after_fork hooks. + # in your after_fork or after_worker_ready hooks, or if you want to + # use the chroot support. # - # Changes the worker process to the specified +user+ and +group+ + # Changes the worker process to the specified +user+ and +group+, + # and chroots to the current working directory if +chroot+ is set. # This is only intended to be called from within the worker # process from the +after_fork+ hook. This should be called in # the +after_fork+ hook after any privileged functions need to be @@ -123,7 +125,7 @@ class Unicorn::Worker # directly back to the caller (usually the +after_fork+ hook. # These errors commonly include ArgumentError for specifying an # invalid user/group and Errno::EPERM for insufficient privileges - def user(user, group = nil) + def user(user, group = nil, chroot = false) # we do not protect the caller, checking Process.euid == 0 is # insufficient because modern systems have fine-grained # capabilities. Let the caller handle any and all errors. @@ -134,6 +136,11 @@ class Unicorn::Worker Process.initgroups(user, gid) Process::GID.change_privilege(gid) end + if chroot + chroot = Dir.pwd if chroot == true + Dir.chroot(chroot) + Dir.chdir('/') + end Process.euid != uid and Process::UID.change_privilege(uid) @switched = true end |