Inconsistency between os.getgroups and os.system('groups') after os.setgroups()

jeff 3beezer at gmail.com
Mon Mar 26 16:41:37 CEST 2012


On Sunday, March 25, 2012 6:22:10 PM UTC-6, Ben Finney wrote:
> jeff writes:
> 
> > On Sunday, March 25, 2012 4:04:55 PM UTC-6, Heiko Wundram wrote:
> > > Am 25.03.2012 23:32, schrieb jeff:
> > > > but I have to be able to get back to root privilege so I can't use
> > > > setgid and setuid.
> > > 
> > > Simply not possible (i.e., you can't drop root privileges, be it by 
> > > setuid()/setgid() or removing yourself from groups with setgroups()), 
> > > and later reacquire them _in the same process_. See the discussion of 
> > > how to implement privilege separation at
> > > 
> > > http://www.citi.umich.edu/u/provos/ssh/privsep.html
> >
> > os.system("su -m <unprivileged_user> -c '<command string>'")
> >
> > seems to do the trick.
> 
> Yes, because ‘os.system’ explicitly starts a new process.
> 
> It can't be done in the same process, as Heiko correctly said.
> 
> -- 
>  \       “Faith, n. Belief without evidence in what is told by one who |
>   `\   speaks without knowledge, of things without parallel.” —Ambrose |
> _o__)                           Bierce, _The Devil's Dictionary_, 1906 |
> Ben Finney

I didn't ask how to do it in the same process, but thanks to both of you for that information.

By the way, are you guys aware of seteuid and setegid?



More information about the Python-list mailing list