[spambayes-dev] Running sb_server.py from init under Linux

[Richard Heck]

Tony Meyer wrote:

>> It's a fundamental principle of Linux security that processes run
>> with the
>> minimum privilege level necessary to do their job, hence my earlier
>> question whether it needed to be root.
>
> Another Linux fundamental is that the user has control over what
> happens. I believe the user should decide 'who' runs sb_server, not
> the script itself (i.e. the developers). If running sb_server.py
> actually required running as root, then I agree that would be a
> problem. It does not, however.

Well, obviously there's a disagreement there. Butt none of the standard
Unix services run as root by default unless there is some reason they
have to do so, and that's for a reason. Apache, for example, will run as
root if you ask, but the default configuration doesn't run it as root,
and surely no-one would ever want to run it that way. In any event, if
one were going to address this generally, the right place to do so is
perhaps in configuration.

>>> What do we do on Windows? [etc]
>>
> But this means that sb_server starts behaving differently on different
> platforms. I'm -1 on anything that does that. What's wrong with having
> a separate script that does what you want (like the Windows ones),
> leaving sb_server properly cross-platform[1]?

That doesn't seem non-cross-platform to me. It just seems like taking
advantage of a facility that is available on *nix and not available on
Windows.

It's possible that the second-script option could be made to work, for
the more limited idea. That script could perhaps simply lower its
privileges and fork a new process that would then pass control to
sb_server. I'll look into that. But I don't see how one would get
finer-grained control that way: E.g., running the process that binds
ports as root, but running the web interface and proxy as an
unprivileged user.

By the way, the purpose of the mutex code seems to be to keep sb_server
from starting multiple instances (or is that not its purpose? I don't do
Windows). Anyway, if that is it's purpose, then it may not need
replication on Linux, anyway. At least when I start sb_server from an
initscript, it won't start multiple instances. I'm not sure why not.

Cheers,
Richard

-- 
==================================================================
Richard G Heck, Jr
Professor of Philosophy
Brown University
http://bobjweil.com/heck/
==================================================================
Get my public key from http://sks.keyserver.penguin.de
Hash: 0x1DE91F1E66FFBDEC
Learn how to sign your email using Thunderbird and GnuPG at:
http://dudu.dyn.2-h.org/nist/gpg-enigmail-howto