Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.python > #22150

Re: Inconsistency between os.getgroups and os.system('groups') after os.setgroups()

Newsgroups comp.lang.python
Date 2012-03-25 16:33 -0700
References <19158239.1073.1332711120749.JavaMail.geo-discussion-forums@ynlx41> <mailman.973.1332713242.3037.python-list@python.org>
Subject Re: Inconsistency between os.getgroups and os.system('groups') after os.setgroups()
From jeff <3beezer@gmail.com>
Message-ID <mailman.975.1332718443.3037.python-list@python.org> (permalink)

Show all headers | View raw

On Sunday, March 25, 2012 4:04:55 PM UTC-6, Heiko Wundram wrote:
> Am 25.03.2012 23:32, schrieb jeff:
> > After the os.setgroups, os.getgroups says that the process is not in
> > any groups, just as you would expect... I can suppress
> > membership in the root group only by doing os.setgid and os.setuid
> > before the os.system call (in which case I wind up in the group of 
> > the
> > new user instead of root), but I have to be able to get back to root
> > privilege so I can't use setgid and setuid.
> 
> Simply not possible (i.e., you can't drop root privileges, be it by 
> setuid()/setgid() or removing yourself from groups with setgroups()), 
> and later reacquire them _in the same process_. See the discussion of 
> how to implement privilege separation at
> 
> http://www.citi.umich.edu/u/provos/ssh/privsep.html
> 
> (which discusses how this is implemented in OpenSSH) by running 
> multiple processes which communicate through IPC mechanisms, and each of 
> those drops the rights it requires. Using IPC to implement 
> reduced-privilege process spawning has a long history; also, Postfix 
> comes to mind as an "early" adopter of a privilege separation mechanism.
> 
> -- 
> --- Heiko.

os.system("su -m <unprivileged_user> -c '<command string>'")

seems to do the trick.

Back to comp.lang.python | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread

Thread

Inconsistency between os.getgroups and os.system('groups') after os.setgroups() jeff <3beezer@gmail.com> - 2012-03-25 14:32 -0700
  Re: Inconsistency between os.getgroups and os.system('groups') after os.setgroups() Heiko Wundram <modelnine@modelnine.org> - 2012-03-26 00:04 +0200
    Re: Inconsistency between os.getgroups and os.system('groups') after os.setgroups() jeff <3beezer@gmail.com> - 2012-03-25 16:33 -0700
    Re: Inconsistency between os.getgroups and os.system('groups') after os.setgroups() jeff <3beezer@gmail.com> - 2012-03-25 16:33 -0700
      Re: Inconsistency between os.getgroups and os.system('groups') after os.setgroups() Ben Finney <ben+python@benfinney.id.au> - 2012-03-26 11:22 +1100
        Re: Inconsistency between os.getgroups and os.system('groups') after os.setgroups() jeff <3beezer@gmail.com> - 2012-03-26 07:41 -0700

csiph-web