Re^2: Privilege reduction with start

It's Twiggy for the non-blocking. If Starman can do that just as well then I'd be happy enough to switch but from a cursory look through the docs that might not be the case, unfortunately.

Comment on Re^2: Privilege reduction with start_server / plackup

Replies are listed 'Best First'.
Re^3: Privilege reduction with start_server / plackup by haukex (Archbishop) on Apr 17, 2020 at 08:14 UTC
It's Twiggy for the non-blocking. Ah, yes, I see, and I think you're right that Starman doesn't support that. It looks like neither Server::Starter or Twiggy support changing the UID/GID natively. What I learned in writing the script I linked to was that it basically has to be done by the server itself, and not by some tool launching that server, because it first needs to open the ports, and then reduce its privileges. You could of course consider putting the server behind an nginx proxy, but that's also an extra component to maintain. Here's a `sub` I wrote once to manually set the UID and GID with as much error checking as possible.	[reply] [d/l]
Re^4: Privilege reduction with start_server / plackup by hippo (Archbishop) on Apr 17, 2020 at 09:37 UTC
Thanks for the sub - there's a bit more in there in terms of error checking than I would probably have thought of. Something like this combined with Corion's monkey-patch approach may yet be the "best" solution. I really don't want to go putting nginx (or anything else) in front of this. It would add no real value that I can see and would be no more stable than the simple netfilter port-forwarding already under consideration.	[reply]