Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #22146 > unrolled thread
| Started by | jeff <3beezer@gmail.com> |
|---|---|
| First post | 2012-03-25 14:32 -0700 |
| Last post | 2012-03-26 07:41 -0700 |
| Articles | 6 — 3 participants |
Back to article view | Back to comp.lang.python
Inconsistency between os.getgroups and os.system('groups') after os.setgroups() jeff <3beezer@gmail.com> - 2012-03-25 14:32 -0700
Re: Inconsistency between os.getgroups and os.system('groups') after os.setgroups() Heiko Wundram <modelnine@modelnine.org> - 2012-03-26 00:04 +0200
Re: Inconsistency between os.getgroups and os.system('groups') after os.setgroups() jeff <3beezer@gmail.com> - 2012-03-25 16:33 -0700
Re: Inconsistency between os.getgroups and os.system('groups') after os.setgroups() jeff <3beezer@gmail.com> - 2012-03-25 16:33 -0700
Re: Inconsistency between os.getgroups and os.system('groups') after os.setgroups() Ben Finney <ben+python@benfinney.id.au> - 2012-03-26 11:22 +1100
Re: Inconsistency between os.getgroups and os.system('groups') after os.setgroups() jeff <3beezer@gmail.com> - 2012-03-26 07:41 -0700
| From | jeff <3beezer@gmail.com> |
|---|---|
| Date | 2012-03-25 14:32 -0700 |
| Subject | Inconsistency between os.getgroups and os.system('groups') after os.setgroups() |
| Message-ID | <19158239.1073.1332711120749.JavaMail.geo-discussion-forums@ynlx41> |
Run this test program as root:
import os
print "before:", os.getgroups()
os.system("groups")
os.setgroups([])
print "after:", os.getgroups()
os.system("groups")
After the os.setgroups, os.getgroups says that the process is not in any groups, just as you would expect. However the groups command run using os.system says that the process is in the root group. It appears that the new process started by os.system augments the group membership specified in the os.setgroups command with the group of the actual user of the original process (which is root). I can suppress membership in the root group only by doing os.setgid and os.setuid before the os.system call (in which case I wind up in the group of the new user instead of root), but I have to be able to get back to root privilege so I can't use setgid and setuid. How do I run a program from a Python script running as root such that the group membership of the process running the program does not include root?
[toc] | [next] | [standalone]
| From | Heiko Wundram <modelnine@modelnine.org> |
|---|---|
| Date | 2012-03-26 00:04 +0200 |
| Message-ID | <mailman.973.1332713242.3037.python-list@python.org> |
| In reply to | #22146 |
Am 25.03.2012 23:32, schrieb jeff: > After the os.setgroups, os.getgroups says that the process is not in > any groups, just as you would expect... I can suppress > membership in the root group only by doing os.setgid and os.setuid > before the os.system call (in which case I wind up in the group of > the > new user instead of root), but I have to be able to get back to root > privilege so I can't use setgid and setuid. Simply not possible (i.e., you can't drop root privileges, be it by setuid()/setgid() or removing yourself from groups with setgroups()), and later reacquire them _in the same process_. See the discussion of how to implement privilege separation at http://www.citi.umich.edu/u/provos/ssh/privsep.html (which discusses how this is implemented in OpenSSH) by running multiple processes which communicate through IPC mechanisms, and each of those drops the rights it requires. Using IPC to implement reduced-privilege process spawning has a long history; also, Postfix comes to mind as an "early" adopter of a privilege separation mechanism. -- --- Heiko.
[toc] | [prev] | [next] | [standalone]
| From | jeff <3beezer@gmail.com> |
|---|---|
| Date | 2012-03-25 16:33 -0700 |
| Message-ID | <mailman.975.1332718443.3037.python-list@python.org> |
| In reply to | #22147 |
On Sunday, March 25, 2012 4:04:55 PM UTC-6, Heiko Wundram wrote:
> Am 25.03.2012 23:32, schrieb jeff:
> > After the os.setgroups, os.getgroups says that the process is not in
> > any groups, just as you would expect... I can suppress
> > membership in the root group only by doing os.setgid and os.setuid
> > before the os.system call (in which case I wind up in the group of
> > the
> > new user instead of root), but I have to be able to get back to root
> > privilege so I can't use setgid and setuid.
>
> Simply not possible (i.e., you can't drop root privileges, be it by
> setuid()/setgid() or removing yourself from groups with setgroups()),
> and later reacquire them _in the same process_. See the discussion of
> how to implement privilege separation at
>
> http://www.citi.umich.edu/u/provos/ssh/privsep.html
>
> (which discusses how this is implemented in OpenSSH) by running
> multiple processes which communicate through IPC mechanisms, and each of
> those drops the rights it requires. Using IPC to implement
> reduced-privilege process spawning has a long history; also, Postfix
> comes to mind as an "early" adopter of a privilege separation mechanism.
>
> --
> --- Heiko.
os.system("su -m <unprivileged_user> -c '<command string>'")
seems to do the trick.
[toc] | [prev] | [next] | [standalone]
| From | jeff <3beezer@gmail.com> |
|---|---|
| Date | 2012-03-25 16:33 -0700 |
| Message-ID | <7418918.681.1332718439318.JavaMail.geo-discussion-forums@yneo2> |
| In reply to | #22147 |
On Sunday, March 25, 2012 4:04:55 PM UTC-6, Heiko Wundram wrote:
> Am 25.03.2012 23:32, schrieb jeff:
> > After the os.setgroups, os.getgroups says that the process is not in
> > any groups, just as you would expect... I can suppress
> > membership in the root group only by doing os.setgid and os.setuid
> > before the os.system call (in which case I wind up in the group of
> > the
> > new user instead of root), but I have to be able to get back to root
> > privilege so I can't use setgid and setuid.
>
> Simply not possible (i.e., you can't drop root privileges, be it by
> setuid()/setgid() or removing yourself from groups with setgroups()),
> and later reacquire them _in the same process_. See the discussion of
> how to implement privilege separation at
>
> http://www.citi.umich.edu/u/provos/ssh/privsep.html
>
> (which discusses how this is implemented in OpenSSH) by running
> multiple processes which communicate through IPC mechanisms, and each of
> those drops the rights it requires. Using IPC to implement
> reduced-privilege process spawning has a long history; also, Postfix
> comes to mind as an "early" adopter of a privilege separation mechanism.
>
> --
> --- Heiko.
os.system("su -m <unprivileged_user> -c '<command string>'")
seems to do the trick.
[toc] | [prev] | [next] | [standalone]
| From | Ben Finney <ben+python@benfinney.id.au> |
|---|---|
| Date | 2012-03-26 11:22 +1100 |
| Message-ID | <87ty1cgqj1.fsf@benfinney.id.au> |
| In reply to | #22151 |
jeff <3beezer@gmail.com> writes:
> On Sunday, March 25, 2012 4:04:55 PM UTC-6, Heiko Wundram wrote:
> > Am 25.03.2012 23:32, schrieb jeff:
> > > but I have to be able to get back to root privilege so I can't use
> > > setgid and setuid.
> >
> > Simply not possible (i.e., you can't drop root privileges, be it by
> > setuid()/setgid() or removing yourself from groups with setgroups()),
> > and later reacquire them _in the same process_. See the discussion of
> > how to implement privilege separation at
> >
> > http://www.citi.umich.edu/u/provos/ssh/privsep.html
>
> os.system("su -m <unprivileged_user> -c '<command string>'")
>
> seems to do the trick.
Yes, because ‘os.system’ explicitly starts a new process.
It can't be done in the same process, as Heiko correctly said.
--
\ “Faith, n. Belief without evidence in what is told by one who |
`\ speaks without knowledge, of things without parallel.” —Ambrose |
_o__) Bierce, _The Devil's Dictionary_, 1906 |
Ben Finney
[toc] | [prev] | [next] | [standalone]
| From | jeff <3beezer@gmail.com> |
|---|---|
| Date | 2012-03-26 07:41 -0700 |
| Message-ID | <1229886.3.1332772897822.JavaMail.geo-discussion-forums@ynbp21> |
| In reply to | #22152 |
On Sunday, March 25, 2012 6:22:10 PM UTC-6, Ben Finney wrote:
> jeff writes:
>
> > On Sunday, March 25, 2012 4:04:55 PM UTC-6, Heiko Wundram wrote:
> > > Am 25.03.2012 23:32, schrieb jeff:
> > > > but I have to be able to get back to root privilege so I can't use
> > > > setgid and setuid.
> > >
> > > Simply not possible (i.e., you can't drop root privileges, be it by
> > > setuid()/setgid() or removing yourself from groups with setgroups()),
> > > and later reacquire them _in the same process_. See the discussion of
> > > how to implement privilege separation at
> > >
> > > http://www.citi.umich.edu/u/provos/ssh/privsep.html
> >
> > os.system("su -m <unprivileged_user> -c '<command string>'")
> >
> > seems to do the trick.
>
> Yes, because ‘os.system’ explicitly starts a new process.
>
> It can't be done in the same process, as Heiko correctly said.
>
> --
> \ “Faith, n. Belief without evidence in what is told by one who |
> `\ speaks without knowledge, of things without parallel.” —Ambrose |
> _o__) Bierce, _The Devil's Dictionary_, 1906 |
> Ben Finney
I didn't ask how to do it in the same process, but thanks to both of you for that information.
By the way, are you guys aware of seteuid and setegid?
[toc] | [prev] | [standalone]
Back to top | Article view | comp.lang.python
csiph-web