setuid | 易学教程

setuid program owned by non-root user

阅读更多关于 setuid program owned by non-root user

问题 I have a setuid program (getpwd) that runs as expected only when owned by root. -rwsr-xr-x 1 root root 7981 2011-11-17 18:28 getpwd* In other words when my program is executed on the command line by user "alice" all works fine The program opens a file in directory /home/secure and print the contents to screen. alice@devbox:/home/alice/tmp$ ./getpwd setuid is working However when I change the ownership and set setuid of the file: chown secure:users getpwd chmod 4755 getpwd -rwsr-xr-x 1 secure

Considerations for a setuid wrapper

阅读更多关于 Considerations for a setuid wrapper

问题 A Python extension I've written requires root access to do a single hardware initialisation call. I'd rather not run the whole script as root just for this one call in my extension, so I would like to write a wrapper to do this initialisation before dropping to user privileges and running the actual script. I intend for this wrapper to be run via sudo , eg $ sudo devwrap python somescript.py I was considering something like ( updated to fix a couple of bugs ): int main(int argc, char * argv[]

setuid/setgid wrapper for python script

阅读更多关于 setuid/setgid wrapper for python script

问题 I have a Python script that I wish to be able to be run as the system user guybrush with UID 200 and group guybrush with GID 200. At the moment my Python script (located in /path/to/script.py ) looks like this: #!/usr/bin/env python2 import os print "uid: %s" % os.getuid() print "euid: %s" % os.getgid() print "gid: %s" % os.geteuid() print "egid: %s" % os.getegid() My attempted C wrapper ( scriptwrap.c ) looks like this: #include <unistd.h> #include <sys/types.h> int main(int argc, char *argv

Secure access to files in a directory identified by an environment variable?

阅读更多关于 Secure access to files in a directory identified by an environment variable?

问题 Can anyone point to some code that deals with the security of files access via a path specified (in part) by an environment variable, specifically for Unix and its variants, but Windows solutions are also of interest? This is a big long question - I'm not sure how well it fits the SO paradigm. Consider this scenario: Background: Software package PQR can be installed in a location chosen by users. The environment variable $PQRHOME is used to identify the install directory. By default, all

setuid equivalent for non-root users

阅读更多关于 setuid equivalent for non-root users

问题 Does Linux have some C interface similar to setuid, which allows a program to switch to a different user using e.g. the username/password? The problem with setuid is that it can only be used by superusers. I am running a simple web service which requires jobs to be executed as the logged in user. So the main process runs as root, and after the user logs in it forks and calls setuid to switch to the appropriate uid. However, I am not quite comfortable with the main proc running as root. I

setgid() fails - operation not permitted

阅读更多关于 setgid() fails - operation not permitted

问题 I created a setuid program in C. The executable looks like this: -r-s-r-s--- 1 root users 13073 Jun 15 21:56 server I execute the program as userA/users and try to set the uid/gid to userB/otherUsers . setgid() fails with Operation not permitted. userA is not part of otherUsers How can I change the effective gid? [EDIT] Here is a small summary of what I did. My C program, executed as userA, sets uid and gid to userB and creates a file. Not as expected, the file belongs to the group root,

Dropping process rights under windows

阅读更多关于 Dropping process rights under windows

问题 I'm looking for a method to drop process rights for security reasons. I want to start as user with privileges and end as limited user. For example I want my web server to run under restricted user by I still want to listen on port 80. How can I do such things under Windows. Something similar to Unix's: bind_to_80(); chroot("/some/limited/dir"); setuid(limited_user_id); setgid(limited_group_id); chroot("/some/limited/dir"); // drop some more rights fork(); // now I can't come back How can I do

What do getresuid() and setresuid() do?

阅读更多关于 What do getresuid() and setresuid() do?

问题 What do the functions getresuid(&arg1,&arg2,&arg3) and setresuid(arg1,arg2,arg3) do? It would be great if a really basic explanation of these functions were given. 回答1: From the credentials(7) man page (abridged): On Linux, each process has the following user and group identifiers: Real user ID and real group ID. These IDs determine who owns the process. Effective user ID and effective group ID. These IDs are used by the kernel to determine the permissions that the process will have when

“Operation not permitted” while dropping privileges using setuid() function

阅读更多关于 “Operation not permitted” while dropping privileges using setuid() function

问题 Why this simple programs that use os.setuid()/gid() fails? Is written in python but I think that is not a language relative problem (at the end are all the same posix system call): import os, pwd if os.getenv("SUDO_UID") and os.getenv("SUDO_GID"): orig_uid=int(os.getenv("SUDO_UID")) orig_gid=int(os.getenv("SUDO_GID")) else: pw = pwd.getpwnam("nobody") orig_uid = pw.pw_uid orig_gid = pw.pw_gid print os.getuid(), os.getgid(), os.geteuid(), os.getegid(), orig_uid, orig_gid os.setgid(orig_gid) os

stdbuf with setuid/capabilities

阅读更多关于 stdbuf with setuid/capabilities

I am reading output from another process which generates output (slow and infinite). Because I want to read this data in real-time I use "stdbuf -oL" (line-buffered, data is text). I do not have control of the generating process so I cannot modify the source to force flushing. So far stdbuf works just fine, however the process uses SOCK_RAW and needs either to be run as root, have setuid(0) or the cap_net_raw capability. When running as non-root with setuid or capabilities stdbuf seems to be ignored. Let me demonstrate the problem: This is a simple writer: #include <stdio.h> #include <unistd.h