Path: csiph.com!v102.xanadu-bbs.net!xanadu-bbs.net!news.glorb.com!npeer03.iad.highwinds-media.com!news.highwinds-media.com!feed-me.highwinds-media.com!postnews.google.com!glegroupsg2000goo.googlegroups.com!not-for-mail
From: jeff <3beezer@gmail.com>
Newsgroups: comp.lang.python
Subject: Re: Inconsistency between os.getgroups and os.system('groups') after os.setgroups()
Date: Sun, 25 Mar 2012 16:33:59 -0700 (PDT)
Organization: http://groups.google.com
Lines: 29
Message-ID: <7418918.681.1332718439318.JavaMail.geo-discussion-forums@yneo2>
References: <19158239.1073.1332711120749.JavaMail.geo-discussion-forums@ynlx41> <mailman.973.1332713242.3037.python-list@python.org>
NNTP-Posting-Host: 24.9.68.28
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
X-Trace: posting.google.com 1332719321 10305 127.0.0.1 (25 Mar 2012 23:48:41 GMT)
X-Complaints-To: groups-abuse@google.com
NNTP-Posting-Date: Sun, 25 Mar 2012 23:48:41 +0000 (UTC)
Cc: python-list@python.org
In-Reply-To: <mailman.973.1332713242.3037.python-list@python.org>
Complaints-To: groups-abuse@google.com
Injection-Info: glegroupsg2000goo.googlegroups.com; posting-host=24.9.68.28; posting-account=gr_YLgoAAAAnxbkitFI4LHjYolWPI16O
User-Agent: G2/1.0
X-Received-Bytes: 2476
Xref: csiph.com comp.lang.python:22151

On Sunday, March 25, 2012 4:04:55 PM UTC-6, Heiko Wundram wrote:
> Am 25.03.2012 23:32, schrieb jeff:
> > After the os.setgroups, os.getgroups says that the process is not in
> > any groups, just as you would expect... I can suppress
> > membership in the root group only by doing os.setgid and os.setuid
> > before the os.system call (in which case I wind up in the group of 
> > the
> > new user instead of root), but I have to be able to get back to root
> > privilege so I can't use setgid and setuid.
> 
> Simply not possible (i.e., you can't drop root privileges, be it by 
> setuid()/setgid() or removing yourself from groups with setgroups()), 
> and later reacquire them _in the same process_. See the discussion of 
> how to implement privilege separation at
> 
> http://www.citi.umich.edu/u/provos/ssh/privsep.html
> 
> (which discusses how this is implemented in OpenSSH) by running 
> multiple processes which communicate through IPC mechanisms, and each of 
> those drops the rights it requires. Using IPC to implement 
> reduced-privilege process spawning has a long history; also, Postfix 
> comes to mind as an "early" adopter of a privilege separation mechanism.
> 
> -- 
> --- Heiko.

os.system("su -m <unprivileged_user> -c '<command string>'")

seems to do the trick.