Inconsistency between os.getgroups and os.system('groups') after os.setgroups()

Ben Finney ben+python at benfinney.id.au
Mon Mar 26 02:22:10 CEST 2012


jeff <3beezer at gmail.com> writes:

> On Sunday, March 25, 2012 4:04:55 PM UTC-6, Heiko Wundram wrote:
> > Am 25.03.2012 23:32, schrieb jeff:
> > > but I have to be able to get back to root privilege so I can't use
> > > setgid and setuid.
> > 
> > Simply not possible (i.e., you can't drop root privileges, be it by 
> > setuid()/setgid() or removing yourself from groups with setgroups()), 
> > and later reacquire them _in the same process_. See the discussion of 
> > how to implement privilege separation at
> > 
> > http://www.citi.umich.edu/u/provos/ssh/privsep.html
>
> os.system("su -m <unprivileged_user> -c '<command string>'")
>
> seems to do the trick.

Yes, because ‘os.system’ explicitly starts a new process.

It can't be done in the same process, as Heiko correctly said.

-- 
 \       “Faith, n. Belief without evidence in what is told by one who |
  `\   speaks without knowledge, of things without parallel.” —Ambrose |
_o__)                           Bierce, _The Devil's Dictionary_, 1906 |
Ben Finney



More information about the Python-list mailing list