Path: csiph.com!usenet.pasdenom.info!aioe.org!news.stack.nl!newsfeed.xs4all.nl!newsfeed5.news.xs4all.nl!xs4all!post.news.xs4all.nl!not-for-mail Return-Path: <3beezer@gmail.com> X-Original-To: python-list@python.org Delivered-To: python-list@mail.python.org X-Spam-Status: OK 0.033 X-Spam-Evidence: '*H*': 0.93; '*S*': 0.00; 'suppress': 0.07; 'postfix': 0.09; 'subject:()': 0.09; 'to:addr:comp.lang.python': 0.09; 'discusses': 0.16; 'history;': 0.16; 'mechanisms,': 0.16; 'privilege': 0.16; 'setgid': 0.16; 'subject:between': 0.16; 'cc:addr:python-list': 0.16; '25,': 0.19; 'later': 0.19; 'wrote:': 0.20; 'header:In-Reply-To:1': 0.21; '(i.e.,': 0.21; 'discussion': 0.22; 'sunday,': 0.23; 'seems': 0.23; 'url:edu': 0.25; 'says': 0.25; '(in': 0.26; '(which': 0.26; 'cc:no real name:2**0': 0.27; 'cc:2**0': 0.29; 'cc:addr:python.org': 0.30; "can't": 0.31; 'header:User-Agent:1': 0.32; 'instead': 0.32; '---': 0.33; 'membership': 0.33; 'received:209.85': 0.34; 'received:google.com': 0.34; 'processes': 0.34; 'groups,': 0.35; 'root': 0.35; 'running': 0.35; 'received:209': 0.36; 'but': 0.36; 'implement': 0.38; 'doing': 0.38; 'possible': 0.39; 'using': 0.40; 'march': 0.63; 'rights': 0.66; 'url:u': 0.67; 'yourself': 0.68; '2012': 0.74; 'mechanism.': 0.84; 'os.system': 0.84; 'separation': 0.84; 'subject:groups': 0.84; 'trick.': 0.84; 'drops': 0.91 Newsgroups: comp.lang.python Date: Sun, 25 Mar 2012 16:33:59 -0700 (PDT) In-Reply-To: Complaints-To: groups-abuse@google.com Injection-Info: glegroupsg2000goo.googlegroups.com; posting-host=24.9.68.28; posting-account=gr_YLgoAAAAnxbkitFI4LHjYolWPI16O References: <19158239.1073.1332711120749.JavaMail.geo-discussion-forums@ynlx41> User-Agent: G2/1.0 X-Google-Web-Client: true MIME-Version: 1.0 Subject: Re: Inconsistency between os.getgroups and os.system('groups') after os.setgroups() From: jeff <3beezer@gmail.com> To: comp.lang.python@googlegroups.com Content-Type: text/plain; charset=ISO-8859-1 Cc: python-list@python.org X-BeenThere: python-list@python.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: General discussion list for the Python programming language List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Message-ID: Lines: 29 NNTP-Posting-Host: 2001:888:2000:d::a6 X-Trace: 1332718443 news.xs4all.nl 6968 [2001:888:2000:d::a6]:53688 X-Complaints-To: abuse@xs4all.nl Xref: csiph.com comp.lang.python:22150 On Sunday, March 25, 2012 4:04:55 PM UTC-6, Heiko Wundram wrote: > Am 25.03.2012 23:32, schrieb jeff: > > After the os.setgroups, os.getgroups says that the process is not in > > any groups, just as you would expect... I can suppress > > membership in the root group only by doing os.setgid and os.setuid > > before the os.system call (in which case I wind up in the group of > > the > > new user instead of root), but I have to be able to get back to root > > privilege so I can't use setgid and setuid. > > Simply not possible (i.e., you can't drop root privileges, be it by > setuid()/setgid() or removing yourself from groups with setgroups()), > and later reacquire them _in the same process_. See the discussion of > how to implement privilege separation at > > http://www.citi.umich.edu/u/provos/ssh/privsep.html > > (which discusses how this is implemented in OpenSSH) by running > multiple processes which communicate through IPC mechanisms, and each of > those drops the rights it requires. Using IPC to implement > reduced-privilege process spawning has a long history; also, Postfix > comes to mind as an "early" adopter of a privilege separation mechanism. > > -- > --- Heiko. os.system("su -m -c ''") seems to do the trick.