Re: Privilege reduction with start

I think for Twiggy, you will have to create your own Twiggy subclass (or monkeypatch it) to override Twiggy::Server->start_listen:

sub Twiggy::Server::start_listen {
    my ($self, $app) = @_;
    my @listen = @{$self->{listen} || [ ($self->{host} || '') . ":" . 
+($self->{port} || 0) ]};
    for my $listen (@listen) {
        push @{$self->{listen_guards}}, $self->_create_tcp_server($lis
+ten, $app);
    }
    # XXX drop privileges here
}
[download]

Comment on Re: Privilege reduction with start_server / plackup Select or Download Code

Replies are listed 'Best First'.
Re^2: Privilege reduction with start_server / plackup by hippo (Archbishop) on Apr 17, 2020 at 09:45 UTC
You are probably right. It is surprising that Miyagawa didn't incorporate something like this already and it makes me wonder what everyone else does when using Twiggy. Do they just run it as root and not care about the security aspects? Do they hide it on a high port behind a reverse proxy? Or do they offer it publicly but on a non-standard high port? Thanks for thinking of and sharing this approach.	[reply]
Re^3: Privilege reduction with start_server / plackup by kikuchiyo (Hermit) on Apr 17, 2020 at 10:10 UTC
Do they hide it on a high port behind a reverse proxy? At $WORK, we do that, plus the Twiggy server itself is containerized.	[reply]