[Bug 1611603] Re: fails to start when confined in a snap

Paul Collins paul.collins at canonical.com
Wed Aug 17 02:40:41 UTC 2016 

I managed to completely forget what a hack the previous patch was
between writing it and posting it.  So please definitely ignore that
one.

Here's a more sensible patch that that will skip chowning the worker
temporary file if we're running as root and we know we're not going to
try to drop privileges.

If Ubuntu snaps gain support for assigning non-root UIDs and GIDs to
confined apps, gunicorn will probably need more work, even with this
patch applied, because utils.set_owner_process() assumes that
setuid(getuid()) will successfully no-op, whereas the Ubuntu snap
security policy would probably still block setuid() entirely.

But this seems to be enough for now, and my snapped Web app still works
with this patch applied in place of the previous one.

** Patch added: "skip chown when it would be a no-op, take 2"
   https://bugs.launchpad.net/ubuntu/+source/gunicorn/+bug/1611603/+attachment/4722435/+files/gunicorn.chown-2.patch

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to gunicorn in Ubuntu.
https://bugs.launchpad.net/bugs/1611603

Title:
  fails to start when confined in a snap

Status in gunicorn package in Ubuntu:
  New

Bug description:
  I attempted to package a simple WSGI app in an Ubuntu snap with
  gunicorn, and ran into a problem with gunicorn vs. the Snap security
  policy.

  The policy forbids calling chown at all, whereas the
  workers.workertmp.WorkerTmp class relies on the default and
  historically unproblematic behaviour of silently succeeding when the
  UID/GID are the same as the calling process's.

  I've attached a patch that attempts to short-circuit chown when it
  would be a no-op, which is the case when gunicorn is run as root in a
  snap, and this patch lets my app work when confined.

  snaps also do not currently allow setuid, etc., and so there's no sense in trying to create a gunicorn-using snap that starts as root and then drops privileges.  For more information on the snap security policy, please visit: https://developer.ubuntu.com/en/snappy/guides/security/
  and https://developer.ubuntu.com/en/snappy/build-apps/debug/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gunicorn/+bug/1611603/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list