3

I am running into an issue regard dropping root privileges when opening a file in /tmp. Here is the line in question:

open(filepath, 'wb')

When the program is not run with a sudo command everything works fine and here are the permissions when I so os.stat

posix.stat_result(st_mode=17407, st_ino=261652, st_dev=64512L, st_nlink=206, st_uid=1000, st_gid=1000, st_size=12288, st_atime=1352314677, st_mtime=1352316340, st_ctime=1352316340)

I run into an issue when the program is run with a sudo command. I try to drop privileges with the following

os.setegid(int(os.getenv("SUDO_GID")))
os.seteuid(int(os.getenv("SUDO_UID")))

and reenable them with

os.seteuid(0)
os.setegid(0)

The error message is

IOError: [Errno 13] Permission denied:

os.stat yields

posix.stat_result(st_mode=17407, st_ino=261652, st_dev=64512L, st_nlink=204, st_uid=1000, st_gid=1000, st_size=4096, st_atime=1352314677, st_mtime=1352316329, st_ctime=1352316329)

Ideally I'd like the run a particular function as if the user never called sudo by dropping and enabling root privileges accordingly.

jww
  • 97,681
  • 90
  • 411
  • 885
user1802143
  • 14,662
  • 17
  • 46
  • 55
  • Can you post the full code to reproduce the problem? – del Nov 07 '12 at 23:46
  • Possible duplicate of [Dropping Root Permissions In Python](https://stackoverflow.com/questions/2699907/dropping-root-permissions-in-python) – jww Jul 23 '17 at 18:48

1 Answers1

2

You will probably need to change from root in a process that you spawn somehow, because, if you drop root, you can't get it back again. You could try using os.fork() for this.

import os


def drop_permissions():
    os.setegid(int(os.getenv("SUDO_GID")))
    os.seteuid(int(os.getenv("SUDO_UID")))


def call_without_permissions(func, *args, **kw):
    in_parent = os.fork()
    if not in_parent:
        drop_permissions()
        func(*args, **kw)
        os._exit(0)
    else:
        os.waitpid(0)
pydsigner
  • 2,779
  • 1
  • 20
  • 33
  • Do you mind linking me to some example code that demonstrates how to do that? – user1802143 Nov 07 '12 at 21:24
  • Working on some now. However, it won't actually run, you'll have to implement a few things yourself, like your all-ready existing user changer. – pydsigner Nov 07 '12 at 21:33
  • Thanks for the code. Am I dropping/enabling permissions correctly with my above code? Do I even need to reenable root in this case since we are forking? – user1802143 Nov 07 '12 at 22:08
  • I think that you are changing your UID and GID properly. And no, you should not need to reenable root; your main process never loses root. – pydsigner Nov 07 '12 at 22:14
  • I tried your code, but unfortunately it didn't solve the original problem. I am wondering if it has to do with the fact that I'm not changing privileges properly. – user1802143 Nov 07 '12 at 22:30
  • Try again, using the code above which sets both the real and effective GID and UID for the process. – pydsigner Nov 07 '12 at 22:41
  • @pydsigner "if you drop root, you can't get it back again" - not true, that's what effective UID/GID are used for. See [here](http://www.makelinux.net/alp/083) for a longer explanation. – del Nov 07 '12 at 23:25
  • Hmm. In that case, I don't know what your problem is. – pydsigner Nov 07 '12 at 23:33