Privilege dropping support in Upstart

James Hunt james.hunt at
Fri Dec 9 15:51:00 UTC 2011

On 18/11/11 02:24, Evan Broder wrote:
>> - Resource Limits/OOM/Priority
>> The fact that the setgid+setuid calls come *after* the chroot+user session code means we're
>> effectively allowing non-privileged (system) jobs to elevate their resource limits, OOM score and
>> priority. It could be argued that these are after all system jobs, so why not allow such behaviour?
>> But until compelling examples are given, I'd prefer we take the cautious approach and disallowed
>> this behaviour. Again, to avoid confusion we should document in init.5 that system jobs running as
>> non-privileged users cannot elevate their resource limits beyond that users limits.
> I'm really not sure I agree with this. I think this is philosophically
> equivalent to the traditional daemon initialization process of
> acquiring the resources it needs and then dropping privileges.
> Similarly, daemons running under Upstart should be permitted to
> express that same idiom through Upstart's config file - acquire
> resources, then drop privileges.
> While I can respect the need for caution, this doesn't introduce any
> behavior that wasn't there previously - system jobs using the setuid
> and setgid syntax would previously have been started as root and been
> able to change these restrictions before dropping privileges. If we
> impose restrictions on how setuid/setgid can be used, it limits the
> utility of the new stanzas without any concrete gain.
After a bit of contemplation, I'm now in agreement.

>> * Testing
>> Yes, I appreciate the issues testing some of these scenarios. It will admittedly complicated by
>> adding setuid+setgid support to the already interesting combination of user jobs and chroot support
>> :) What we need is a fully automated set of tests for these features. Effort is being put into this
>> for the current Ubuntu cycle.
> I believe that these and other functions would be more testable if a
> portion of the test suite was run under fakeroot and fakechroot -
> combined, they seem to be clever enough to simulate chroot(),
> setuid(), and setgid(), among others.
Agreed - that is on my TODO list.

I've now merged this feature into lp:upstart, so it should land in Precise some time next week.
Thanks again for your contribution!

The Cookbook should be updated some time next week for "console log" and "setuid/setgid"...

Kind regards,
James Hunt

More information about the upstart-devel mailing list