remote server and effective uid

Tim Arnold tim.arnold at
Tue Nov 16 18:37:37 CET 2010

"Tim Harig" <usernet at> wrote in message 
news:ibs8h9$jmq$1 at
> On 2010-11-15, Tim Arnold <a_jtim at> wrote:
>> On Nov 15, 10:41 am, Tim Harig <user... at> wrote:
>>> On 2010-11-15, Tim Arnold <a_j... at> wrote:
>>> > How can I enable the server process to write into the client's
>>> > directories?
>>> > If I change the inetd service to run as 'root', I guess that would
>>> > work, but then the client couldn't remove the files put there after
>>> > the request.
>>> Python provides os.setuid() and os.seteuid() which wrap the system
>>> functions. See you systems man pages for these functions for more
>>> information.
>> Thanks -- that was a lot easier than I thought it was going to be.
>> pass the client's uid in the message to the server like so
>> argstring, local_dir, uid = message.split(':')
>> os.seteuid(int(uid))
> I am not sure exactly what you are doing; but, I would advise great
> caution as messing this up could easily open your system to exploitation.
> Be very sure that you know what you are doing.

I can see how that looks dangerous, but I think it's okay. I have inetd 
listening on a port and whatever it receives, it passes on to that line 
above "argstring, local_dir, uid message.split(':').  The argstring is 
parsed using 'argparse' the resulting list of args is passed to a Python 
class that can only do work for a specific set of args. I can't think of a 
way someone could pass in an evil argstring that could do anything but fail.

Thanks for your reply, and if you still think it's dangerous please let me 

More information about the Python-list mailing list