remote server and effective uid
tim.arnold at sas.com
Tue Nov 16 18:37:37 CET 2010
"Tim Harig" <usernet at ilthio.net> wrote in message
news:ibs8h9$jmq$1 at speranza.aioe.org...
> On 2010-11-15, Tim Arnold <a_jtim at bellsouth.net> wrote:
>> On Nov 15, 10:41 am, Tim Harig <user... at ilthio.net> wrote:
>>> On 2010-11-15, Tim Arnold <a_j... at bellsouth.net> wrote:
>>> > How can I enable the server process to write into the client's
>>> > directories?
>>> > If I change the inetd service to run as 'root', I guess that would
>>> > work, but then the client couldn't remove the files put there after
>>> > the request.
>>> Python provides os.setuid() and os.seteuid() which wrap the system
>>> functions. See you systems man pages for these functions for more
>> Thanks -- that was a lot easier than I thought it was going to be.
>> pass the client's uid in the message to the server like so
>> argstring, local_dir, uid = message.split(':')
> I am not sure exactly what you are doing; but, I would advise great
> caution as messing this up could easily open your system to exploitation.
> Be very sure that you know what you are doing.
I can see how that looks dangerous, but I think it's okay. I have inetd
listening on a port and whatever it receives, it passes on to that line
above "argstring, local_dir, uid message.split(':'). The argstring is
parsed using 'argparse' the resulting list of args is passed to a Python
class that can only do work for a specific set of args. I can't think of a
way someone could pass in an evil argstring that could do anything but fail.
Thanks for your reply, and if you still think it's dangerous please let me
More information about the Python-list