Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #22151
| Path | csiph.com!v102.xanadu-bbs.net!xanadu-bbs.net!news.glorb.com!npeer03.iad.highwinds-media.com!news.highwinds-media.com!feed-me.highwinds-media.com!postnews.google.com!glegroupsg2000goo.googlegroups.com!not-for-mail |
|---|---|
| From | jeff <3beezer@gmail.com> |
| Newsgroups | comp.lang.python |
| Subject | Re: Inconsistency between os.getgroups and os.system('groups') after os.setgroups() |
| Date | Sun, 25 Mar 2012 16:33:59 -0700 (PDT) |
| Organization | http://groups.google.com |
| Lines | 29 |
| Message-ID | <7418918.681.1332718439318.JavaMail.geo-discussion-forums@yneo2> (permalink) |
| References | <19158239.1073.1332711120749.JavaMail.geo-discussion-forums@ynlx41> <mailman.973.1332713242.3037.python-list@python.org> |
| NNTP-Posting-Host | 24.9.68.28 |
| Mime-Version | 1.0 |
| Content-Type | text/plain; charset=ISO-8859-1 |
| X-Trace | posting.google.com 1332719321 10305 127.0.0.1 (25 Mar 2012 23:48:41 GMT) |
| X-Complaints-To | groups-abuse@google.com |
| NNTP-Posting-Date | Sun, 25 Mar 2012 23:48:41 +0000 (UTC) |
| Cc | python-list@python.org |
| In-Reply-To | <mailman.973.1332713242.3037.python-list@python.org> |
| Complaints-To | groups-abuse@google.com |
| Injection-Info | glegroupsg2000goo.googlegroups.com; posting-host=24.9.68.28; posting-account=gr_YLgoAAAAnxbkitFI4LHjYolWPI16O |
| User-Agent | G2/1.0 |
| X-Received-Bytes | 2476 |
| Xref | csiph.com comp.lang.python:22151 |
Show key headers only | View raw
On Sunday, March 25, 2012 4:04:55 PM UTC-6, Heiko Wundram wrote:
> Am 25.03.2012 23:32, schrieb jeff:
> > After the os.setgroups, os.getgroups says that the process is not in
> > any groups, just as you would expect... I can suppress
> > membership in the root group only by doing os.setgid and os.setuid
> > before the os.system call (in which case I wind up in the group of
> > the
> > new user instead of root), but I have to be able to get back to root
> > privilege so I can't use setgid and setuid.
>
> Simply not possible (i.e., you can't drop root privileges, be it by
> setuid()/setgid() or removing yourself from groups with setgroups()),
> and later reacquire them _in the same process_. See the discussion of
> how to implement privilege separation at
>
> http://www.citi.umich.edu/u/provos/ssh/privsep.html
>
> (which discusses how this is implemented in OpenSSH) by running
> multiple processes which communicate through IPC mechanisms, and each of
> those drops the rights it requires. Using IPC to implement
> reduced-privilege process spawning has a long history; also, Postfix
> comes to mind as an "early" adopter of a privilege separation mechanism.
>
> --
> --- Heiko.
os.system("su -m <unprivileged_user> -c '<command string>'")
seems to do the trick.
Back to comp.lang.python | Previous | Next — Previous in thread | Next in thread | Find similar | Unroll thread
Inconsistency between os.getgroups and os.system('groups') after os.setgroups() jeff <3beezer@gmail.com> - 2012-03-25 14:32 -0700
Re: Inconsistency between os.getgroups and os.system('groups') after os.setgroups() Heiko Wundram <modelnine@modelnine.org> - 2012-03-26 00:04 +0200
Re: Inconsistency between os.getgroups and os.system('groups') after os.setgroups() jeff <3beezer@gmail.com> - 2012-03-25 16:33 -0700
Re: Inconsistency between os.getgroups and os.system('groups') after os.setgroups() jeff <3beezer@gmail.com> - 2012-03-25 16:33 -0700
Re: Inconsistency between os.getgroups and os.system('groups') after os.setgroups() Ben Finney <ben+python@benfinney.id.au> - 2012-03-26 11:22 +1100
Re: Inconsistency between os.getgroups and os.system('groups') after os.setgroups() jeff <3beezer@gmail.com> - 2012-03-26 07:41 -0700
csiph-web