Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #22147
| Path | csiph.com!usenet.pasdenom.info!news.albasani.net!newsfeed.freenet.ag!news2.euro.net!newsgate.cistron.nl!newsgate.news.xs4all.nl!194.109.133.85.MISMATCH!newsfeed.xs4all.nl!newsfeed6.news.xs4all.nl!xs4all!post.news.xs4all.nl!not-for-mail |
|---|---|
| Return-Path | <modelnine@modelnine.org> |
| X-Original-To | python-list@python.org |
| Delivered-To | python-list@mail.python.org |
| X-Spam-Status | OK 0.055 |
| X-Spam-Evidence | '*H*': 0.89; '*S*': 0.00; 'suppress': 0.07; 'postfix': 0.09; 'subject:()': 0.09; 'discusses': 0.16; 'history;': 0.16; 'mechanisms,': 0.16; 'privilege': 0.16; 'setgid': 0.16; 'subject:between': 0.16; 'later': 0.19; 'header :In-Reply-To:1': 0.21; '(i.e.,': 0.21; 'discussion': 0.22; 'url:edu': 0.25; 'says': 0.25; '(in': 0.26; '(which': 0.26; "can't": 0.31; 'header:User-Agent:1': 0.32; 'instead': 0.32; 'to:addr:python-list': 0.32; '---': 0.33; 'membership': 0.33; 'processes': 0.34; 'groups,': 0.35; 'root': 0.35; 'running': 0.35; 'but': 0.36; 'implement': 0.38; 'doing': 0.38; 'received:org': 0.39; 'possible': 0.39; 'to:addr:python.org': 0.39; 'using': 0.40; 'rights': 0.66; 'url:u': 0.67; 'yourself': 0.68; 'mechanism.': 0.84; 'os.system': 0.84; 'separation': 0.84; 'subject:groups': 0.84; 'drops': 0.91 |
| DKIM-Signature | v=1; a=rsa-sha256; c=simple/simple; d=modelnine.org; s=modelnine1012; t=1332713095; bh=1mrBMhbSz5yUfpujtO9A1PfkFzZhSJF9F9yVNCX+d/Y=; h=MIME-Version:Content-Type:Content-Transfer-Encoding:Date:From:To: Subject:In-Reply-To:References:Message-ID; b=BQSOsxulcnxw5/yINQhF9+4R6auvQJS4sYEslM3ijRqC4h8m2RZf0l2SZBQ5/x77S 9q//tbeWJEJuK+YBH8Hu47CrtQAB7+rCjmdKvlYCF6r5dCe8UrbKrZN5VwgW53v3Mo KaJazDvQcqHMhKUR4XzpoyVlLY6nfY9H1Vi8X9r0= |
| MIME-Version | 1.0 |
| Content-Type | text/plain; charset=UTF-8; format=flowed |
| Content-Transfer-Encoding | 7bit |
| Date | Mon, 26 Mar 2012 00:04:55 +0200 |
| From | Heiko Wundram <modelnine@modelnine.org> |
| To | <python-list@python.org> |
| Subject | Re: Inconsistency between os.getgroups and os.system('groups') after os.setgroups() |
| In-Reply-To | <19158239.1073.1332711120749.JavaMail.geo-discussion-forums@ynlx41> |
| References | <19158239.1073.1332711120749.JavaMail.geo-discussion-forums@ynlx41> |
| X-Sender | modelnine@modelnine.org |
| User-Agent | Roundcube Webmail/0.7.1 |
| X-BeenThere | python-list@python.org |
| X-Mailman-Version | 2.1.12 |
| Precedence | list |
| List-Id | General discussion list for the Python programming language <python-list.python.org> |
| List-Unsubscribe | <http://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe> |
| List-Archive | <http://mail.python.org/pipermail/python-list> |
| List-Post | <mailto:python-list@python.org> |
| List-Help | <mailto:python-list-request@python.org?subject=help> |
| List-Subscribe | <http://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe> |
| Newsgroups | comp.lang.python |
| Message-ID | <mailman.973.1332713242.3037.python-list@python.org> (permalink) |
| Lines | 24 |
| NNTP-Posting-Host | 2001:888:2000:d::a6 |
| X-Trace | 1332713242 news.xs4all.nl 6891 [2001:888:2000:d::a6]:36913 |
| X-Complaints-To | abuse@xs4all.nl |
| Xref | csiph.com comp.lang.python:22147 |
Show key headers only | View raw
Am 25.03.2012 23:32, schrieb jeff: > After the os.setgroups, os.getgroups says that the process is not in > any groups, just as you would expect... I can suppress > membership in the root group only by doing os.setgid and os.setuid > before the os.system call (in which case I wind up in the group of > the > new user instead of root), but I have to be able to get back to root > privilege so I can't use setgid and setuid. Simply not possible (i.e., you can't drop root privileges, be it by setuid()/setgid() or removing yourself from groups with setgroups()), and later reacquire them _in the same process_. See the discussion of how to implement privilege separation at http://www.citi.umich.edu/u/provos/ssh/privsep.html (which discusses how this is implemented in OpenSSH) by running multiple processes which communicate through IPC mechanisms, and each of those drops the rights it requires. Using IPC to implement reduced-privilege process spawning has a long history; also, Postfix comes to mind as an "early" adopter of a privilege separation mechanism. -- --- Heiko.
Back to comp.lang.python | Previous | Next — Previous in thread | Next in thread | Find similar | Unroll thread
Inconsistency between os.getgroups and os.system('groups') after os.setgroups() jeff <3beezer@gmail.com> - 2012-03-25 14:32 -0700
Re: Inconsistency between os.getgroups and os.system('groups') after os.setgroups() Heiko Wundram <modelnine@modelnine.org> - 2012-03-26 00:04 +0200
Re: Inconsistency between os.getgroups and os.system('groups') after os.setgroups() jeff <3beezer@gmail.com> - 2012-03-25 16:33 -0700
Re: Inconsistency between os.getgroups and os.system('groups') after os.setgroups() jeff <3beezer@gmail.com> - 2012-03-25 16:33 -0700
Re: Inconsistency between os.getgroups and os.system('groups') after os.setgroups() Ben Finney <ben+python@benfinney.id.au> - 2012-03-26 11:22 +1100
Re: Inconsistency between os.getgroups and os.system('groups') after os.setgroups() jeff <3beezer@gmail.com> - 2012-03-26 07:41 -0700
csiph-web