setfs(u / g)id或带有eventlet的set(u / g)id(Python绿色线程)
[英]setfs(u/g)id or set(u/g)id with eventlet(python green thread)
问题描述
We have an existing project using Eventlet module. 
我们有一个使用Eventlet模块的现有项目。
There is a server handling client request using green threads. 有一个服务器使用绿色线程来处理客户端请求。 All the requests are handled by a single user 'User A' 所有请求均由单个用户“用户A”处理
I now need to change this to do a setfsuid/setfsgid on the threads so that the underlying files are all created with the ownership of the requesting user only. 我现在需要更改此设置以在线程上执行setfsuid / setfsgid,以便仅使用请求用户的所有权来创建基础文件。
I understand that I need setid Linux capability to make the setfsid calls. 我知道我需要setid Linux功能才能进行setfsid调用。
But will setfsid calls work with green threads like they do with the native threads ? 但是setfsid调用是否可以像使用本机线程那样与绿色线程一起使用?
By reading through various texts over the net regarding 'green threads', I couldn't gather much :( 通过在网上阅读有关“绿色线程”的各种文本,我收集的内容不多:(
2 个解决方案
解决方案1
0 2016-01-19 12:26:45
All green threads are executed from one OS thread. 所有绿色线程均从一个OS线程执行。 To kernel it looks like your whole Python program only has one thread. 要内核化,看起来整个Python程序只有一个线程。
If you need separate filesystem ids for each request, start a separate OS thread, call setfsuid() in it and execute required filesystem calls in it. 如果每个请求都需要单独的文件系统ID,请启动单独的OS线程,在其中调用setfsuid()在其中执行所需的文件系统调用。
threading = eventlet.patcher.original('threading')
解决方案2
0 2016-05-31 15:17:19
The kernel is ignorant to green threads. 内核对绿色线程一无所知。 If a process has a uid and gid, it is used by all green threads running as part of this process. 如果某个进程具有uid和gid,则该进程正在运行的所有绿色线程都将使用它。
At a first glance, what you are seeking to do is equivalent to having a privileged process do a setuid prior to opening/creating a file, than doing a second setuid to open/create a second file etc. all to ensure that each file has the right ownership. 乍一看,您要执行的操作等同于让特权进程在打开/创建文件之前先执行setuid ,而不是执行第二个setuid打开/创建第二个文件,等等。所有这些确保每个文件都具有正确的所有权。 I never tried such a scheme, but it sounds very very wrong. 我从未尝试过这种方案,但这听起来非常错误。 It is also extremely bad security wise. 这也是非常糟糕的安全策略。 You are running at high privileges and may find yourself processing user X's data while having user Y's uid. 您正在以高特权运行,并且可能会发现自己在拥有用户Y的uid的同时处理用户X的数据。
At a second glance, green threads are cooperative, meaning that under the hoods, some of the operations you do will yield. 乍一看,绿色线程是协作的,这意味着在幕后,您将执行一些操作。 Following such yield, you may change to a different green thread that will change the uid again... 按照这样的产量,您可以更改为另一个绿色线程,这将再次更改uid。
Bottom line, forget about changing the uid and gid of the green thread - there is no such thing. 最重要的是,忘记更改绿色线程的uid和gid-没有这样的事情。 Create the file with whatever ID you have and chown to the right id after. 创建具有任何ID的文件,然后将其锁定到正确的ID。 Find a way to do that without running as root for security reasons. 出于安全原因,找到一种无需以root用户身份运行的方法。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.