Fix #666 - Fail explicitly when missing logfile permissions

irrdnet · Jan 12, 2023 · 1b4735e · 1b4735e
1 parent 9d3669f
commit 1b4735e
Showing 1 changed file with 19 additions and 5 deletions.
diff --git a/irrd/daemon/main.py b/irrd/daemon/main.py
@@ -59,15 +59,25 @@ def main():
     # but this call here causes fast failure for most misconfigurations
     config_init(args.config_file_path, commit=False)
 
+    staged_logfile_path = get_configuration().user_config_staging.get('log.logfile_path')
+    staged_logging_config_path = get_configuration().user_config_staging.get('log.logging_config_path')
     if not any([
-        get_configuration().user_config_staging.get('log.logfile_path'),
-        get_configuration().user_config_staging.get('log.logging_config_path'),
+        staged_logfile_path,
+        staged_logging_config_path,
         args.foreground,
     ]):
         logging.critical('Unable to start: when not running in the foreground, you must set '
                          'either log.logfile_path or log.logging_config_path in the settings')
         return
 
+    uid, gid = get_configured_owner(from_staging=True)
+    if uid and gid:
+        os.seteuid(uid)
+        os.setegid(gid)
+        if staged_logfile_path and not os.access(staged_logfile_path, os.W_OK, effective_ids=True):
+            logging.critical(f'Unable to start: logfile {staged_logfile_path} not writable by UID {uid} / GID {gid}')
+            return
+
     with daemon.DaemonContext(**daemon_kwargs):
         config_init(args.config_file_path)
 
@@ -182,10 +192,14 @@ def sigterm_handler(signum, frame):
     logging.info(f'Main process exiting')
 
 
-def get_configured_owner() -> Tuple[Optional[int], Optional[int]]:
+def get_configured_owner(from_staging=False) -> Tuple[Optional[int], Optional[int]]:
     uid = gid = None
-    user = get_setting('user')
-    group = get_setting('group')
+    if not from_staging:
+        user = get_setting('user')
+        group = get_setting('group')
+    else:
+        user = get_configuration().user_config_staging.get('user')
+        group = get_configuration().user_config_staging.get('group')
     if user and group:
         uid = pwd.getpwnam(user).pw_uid
         gid = grp.getgrnam(group).gr_gid