Privilege dropping support in Upstart

Evan Broder evan at
Tue Nov 8 21:01:43 UTC 2011

The attached patchset (also available at adds new
setuid and setgid stanzas to the config format, each of which accept a
user/group name (not UID/GID), respectively. (See also

If the stanzas are set, Upstart drops privileges after handling the
chroot and chdir stanzas and before resetting signal handlers. This
means that the arguments to the stanzas are evaluated within the
chroot where the job will run. They are also evaluated after dropping
privilege for user jobs, and after setting rlimits.

If the setuid stanza is set and the setgid stanza is unset, then the
primary group of the user specified is used. If the setgid stanza is
set and the setuid stanza is unset, the job runs with root's (or the
unprivileged user's) UID and the specified group. If neither is
specified, the job runs with root's user and group.

If either the user or group specified do not exist in the job's
environment, the job throws an error.

Since setuid(2) and setgid(2) are both privileged operations, I was
unable to write automated tests for them that could run unprivileged.
However, I did test all combinations of setting and unsetting setuid
and setgid, as well as invalid values for both setuid and setgid, and
confirmed that those combinations work as expected.

Here is the concatenated bzr log of changes:

  * init/man/init.5: Document new setuid and setgid stanzas, including
  their behavior when unspecified.
  * init/job_process.c, init/job_process.h, init/errors.h: If setuid or
  setgid stanzas are specified, drop privileges just before executing
  the job.
  * init/tests/test_parse_job.c: Test new setuid and setgid stanza
  * init/parse_job.c: Parse setuid and setgid stanzas from config files
  taking a user and group name argument, respectively.
  * init/tests/test_job_class.c: Test new setuid and setgid JobClass
  * init/job_class.c, init/job_class.h: Add new setuid and setgid fields
  to JobClass

Thanks for your feedback,
 - Evan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: drop-privileges.patch
Type: text/x-patch
Size: 16298 bytes
Desc: not available
URL: <>

More information about the upstart-devel mailing list