proposal: add setresuid() system call to python
travis+ml-python at subspacefield.org
travis+ml-python at subspacefield.org
Fri Jul 17 16:01:41 EDT 2009
Hello,
Historically, I have used scripting languages like python for typical
uses, but they tend to not fare very well at system programming; for
close interfacing with the operating system, I'm often forced to use a
language like C. This is undesirable to me.
I do not think this has to be the case; I see no reason why a
scripting language can't implement more of the system call API, at the
risk of having some OS-dependent modules. I would actually like to
see more network servers written in scripting languages, as they
neatly avoid buffer overflow and integer overflow issues with no extra
effort.
One BIG roadblock to doing this is when they can't manage to drop
permissions properly.
I am suggesting that the setresuid function be added to python,
perhaps in the OS module, because it has the clearest semantics for
manipulating user ids. The reason why is best described in the
following paper:
http://www.eecs.berkeley.edu/~daw/papers/setuid-usenix02.pdf
One argument against this is that it is not specified by POSIX, and
thus might be dismissed as "implementation dependent".
However, as the paper above demonstrates, even though the setuid
system call is defined by POSIX, it already has system-dependent
behavior. POSIX provides for at least two different behaviors of the
setuid call, and even more if you consider that it leaves what
constitutes "appropriate privileges" up to the OS kernel.
I humbly propose that python implement all the routines necessary to
securely drop privileges, to enable construction of network daemons
that might need to drop privileges from root to some non-root userid
(e.g. mail transfer agents, or POP/IMAP servers).
Furthermore, where there are multiple system calls to achieve this
effect, it should implement the ones with the clearest semantics, and
setresuid fits that bill. To see what an utter mess the uid-manipulation
routines are in, I refer you once again to this paper, as the situation
is too complicated to describe in this email:
http://www.eecs.berkeley.edu/~daw/papers/setuid-usenix02.pdf
Opinions?
Best,
Travis
--
Obama Nation | My emails do not have attachments; it's a digital signature
that your mail program doesn't understand. | http://www.subspacefield.org/~travis/
If you are a spammer, please email john at subspacefield.org to get blacklisted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 850 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/python-list/attachments/20090717/2a18ffb1/attachment.sig>
More information about the Python-list
mailing list