当前位置: 文江博客话题详情

“不允许操作”关于使用 os.setuid( ) [python]

发布于 2024-12-05 21:54:15 字数 694 浏览 2 评论 0原文

我正在尝试构建一个平台来启动一些脚本。该脚本放置在每个用户的主文件夹中。每次启动都应该使用每个用户 ID 来完成,因此,我正在为每个用户执行以下操作:

user_id = pwd.getpwnam( user )[ 3 ]
user_home = pwd.getpwnam( user )[ 5 ]

os.chdir( user_home )
os.setuid( user_id )

subprocess.Popen( shlex.split( "user_script.py" ) )

但是,当 python 尝试执行 os.setuid( user_id ) 时,它会引发此异常:

Traceback (most recent call last):
  File "launcher.py", line XX, in <module>

OSError: [Errno 1] Operation not permitted

顺便说一下,启动此脚本的用户位于 root 组中(在 GNU/linux 操作系统上),并且拥有所有 root 权限。

如果我尝试使用 root 用户启动相同的代码,则会收到不同的错误:

OSError: [Errno 13] Permission denied

如果有人可以帮助我了解发生了什么,请...

原文

I'm trying to build a platform to launch some scripts. This scripts are placed in home folder of each user. Every launch should be done with each user id so, I'm doing, for each user, this:

user_id = pwd.getpwnam( user )[ 3 ]
user_home = pwd.getpwnam( user )[ 5 ]

os.chdir( user_home )
os.setuid( user_id )

subprocess.Popen( shlex.split( "user_script.py" ) )

But, when python trys to do os.setuid( user_id ) it raise this exception:

Traceback (most recent call last):
  File "launcher.py", line XX, in <module>

OSError: [Errno 1] Operation not permitted

By the way, the user who starts this script is in the root group (on GNU/linux OS) and it has all the root privileges.

If I try to launch the same code with root user I get a different error:

OSError: [Errno 13] Permission denied

If someone can help me to understand what's happening please...

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(5

世态炎凉 2024-12-12 21:54:15

只有 root 可以执行 setuid,仅在 root 组中是不够的。

Only root can do a setuid, being in the root-group is not enough.

回复 原文
凯凯我们等你回来 2024-12-12 21:54:15

只有超级用户可以随时更改 uid,仅将用户添加到 root 组是不够的。

例如 setuid(2) 提到:

 The setuid() system call is permitted if the specified ID is equal to the
 real user ID or the effective user ID of the process, or if the effective
 user ID is that of the super user.

在 Linux 上,还有:

   Under Linux, setuid() is implemented like the POSIX version with the 
   _POSIX_SAVED_IDS feature.  This allows a set-user-ID (other than  root)
   program to drop all of its user privileges, do some un-privileged work, and
   then reengage the original effective user ID in a secure manner.

我什至不知道 Python 是否直接实现了这个,但无论如何它并不完全是你想要的。

所以简短的答案是:以 root 身份启动初始进程。

如果您担心安全性,请启动两个进程,一个作为 root,一个作为非特权用户,并让非特权进程通过套接字与 root 进程进行通信。不过,这是一个更高级的设置......

Only superuser can change uid whenever it feels like it, just adding the user to the root group is not enough.

setuid(2) for example mentions:

 The setuid() system call is permitted if the specified ID is equal to the
 real user ID or the effective user ID of the process, or if the effective
 user ID is that of the super user.

On Linux, there's also:

   Under Linux, setuid() is implemented like the POSIX version with the 
   _POSIX_SAVED_IDS feature.  This allows a set-user-ID (other than  root)
   program to drop all of its user privileges, do some un-privileged work, and
   then reengage the original effective user ID in a secure manner.

I don't even know if Python directly implements this, but it's not exactly what you want anyway.

So the short answer is: Start the initial process as root.

If you're worried about security, start two processes, one as root, one as non-privileged user, and have the non-privileged process communicate with the root process with a socket. This is a more advanced setup though...

回复 原文
玩心态 2024-12-12 21:54:15

OSError: [Errno 1] Operation not allowed 表示启动脚本的用户权限不足。位于根组中还不够,它实际上需要 CAP_SETUID 功能。

OSError: [Errno 13] Permission returned 可能是一个不相关的错误。你应该看看它的堆栈跟踪。

OSError: [Errno 1] Operation not permitted indicates the user who starts the script has insufficient privileges. Being in the root group is not enough, it actually needs the CAP_SETUID capability.

OSError: [Errno 13] Permission denied is probably an unrelated error. You should have a look at its stacktrace.

回复 原文
作死小能手 2024-12-12 21:54:15

这条线

subprocess.Popen( shlex.split( "user_script.py" ) )

在很多方面让我感到困惑。

  1. shlex.split() 似乎是多余的,因为没有什么可分割的。
  2. 最好将 Popen() 的参数放在列表中。
  3. 如果user_script.py没有执行权限,即使root也无法执行此操作。

The line

subprocess.Popen( shlex.split( "user_script.py" ) )

confuses me in manifold ways.

  1. The shlex.split() seems to be redundant, as there is nothing to split.
  2. Better put Popen()'s parameter in a list.
  3. If user_script.py has no execute permissions, even root cannot do that.
回复 原文
总攻大人 2024-12-12 21:54:15

您还使用 setuid 权限。也就是说,

       chmod 4755 script.py

现在即使是普通用户,如果您执行该程序,它也会切换为特定用途。您不会遇到任何权限问题。

you also use setuid permission . That is give ,

       chmod 4755 script.py

Now even from normal user if you execute the program it will switch as that particular use. You won't get any permission issues .

回复 原文
~没有更多了~

关于作者

小女人ら

暂无简介

0 文章
0 评论
24 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

已经忘了多久

文章 0 评论 0

15867725375

文章 0 评论 0

LonelySnow

文章 0 评论 0

走过海棠暮

文章 0 评论 0

轻许诺言

文章 0 评论 0

信馬由缰

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文