(no subject)

Xavier Kaotico sabu at pure-elite.org
Tue May 7 10:14:25 EDT 2002 

Hey Daniel,

I was at this exact spot once before.  The reason why you are getting the 
OSError/permission fault is because Python is not +s/+sg.  See, the script can be 
s+ and owned by root with world executions, and still won't be able to call 
setuid(0)/setgid(0).  Since Python is an interpreter, and the script calls it to 
execute its payload; logically, it will not be able to setuid(0)/setgid(0) from a 
-s/-sg Python binary.

In order for your script to work right, you must +suid Python, however -- that 
idea is bad, since Python, with +s can be turned into a backdoor, by your system 
users, if they had execution rights.  A malicious user would merely execute:

python -c 'import os; os.setuid(0);os.setgid(0);os.system("sh")'

And, right there -- would have a rootshell, gained from your +suid attachment to 
Python.  Thus, making it quite a bad idea.  And of course, that would mean that 
any other environment your script is run under -- it must attain a +suid Python 
as well; thus complicating the whole purpose (only if your planning to distribute 
the code of course).


Take care, Xavier.

----- Original Message -----
From: insaney at ufl.edu (Daniel)
Date: 7 May 2002 06:33:10 -0700 
To: python-list at python.org
Subject: os.seteuid

I'm new at this, so maybe I've just got it all wrong, but I have a
python script owned by root:root with chmod +s.  Should this script be
able to set-uid/gid/euid/egid or anything?  The script fails at
changing any of these to anything else.

Help?
~ Daniel

$ ls -al testing2
-rwsr-sr-x    1 root     root          205 May  7 09:10 testing2
$ cat testing2
#!/usr/bin/python2
import os
print os.getgid(),os.getegid(),os.getuid(),os.geteuid()
print os.getgroups()
os.seteuid(0)
$ ./testing2
48 48 48 48
[48]
Traceback (most recent call last):
  File "./testing2", line 5, in ?
    os.seteuid(0)
OSError: [Errno 1] Operation not permitted

if useful...
running RH linux 7.2... have tried python 2.2 and python 1.5.2
(without print os.getgroups() line)
-- 
http://mail.python.org/mailman/listinfo/python-list

More information about the Python-list mailing list