使用os.setuid()[python]“不允许操作”
[英]“Operation not permitted” on using os.setuid( ) [python]
问题描述
I'm trying to build a platform to launch some scripts. 
我正在尝试构建一个平台来启动一些脚本。 This scripts are placed in home folder of each user. 此脚本放在每个用户的主文件夹中。 Every launch should be done with each user id so, I'm doing, for each user, this: 每次启动都应该使用每个用户ID,所以,我正在为每个用户执行以下操作:
user_id = pwd.getpwnam( user )[ 3 ]
user_home = pwd.getpwnam( user )[ 5 ]
os.chdir( user_home )
os.setuid( user_id )
subprocess.Popen( shlex.split( "user_script.py" ) )
But, when python trys to do os.setuid( user_id ) it raise this exception: 但是,当python尝试执行os.setuid( user_id ) ,会引发此异常:
Traceback (most recent call last):
File "launcher.py", line XX, in <module>
OSError: [Errno 1] Operation not permitted
By the way, the user who starts this script is in the root group (on GNU/linux OS) and it has all the root privileges. 顺便说一句,启动此脚本的用户位于根组(在GNU / linux OS上)并且具有所有root权限。
If I try to launch the same code with root user I get a different error: 如果我尝试使用root用户启动相同的代码,我会得到一个不同的错误:
OSError: [Errno 13] Permission denied
If someone can help me to understand what's happening please... 如果有人能帮我理解发生了什么,请...
5 个解决方案
解决方案1
5 已采纳 2011-09-23 12:58:56
只有root可以做setuid,在root-group中是不够的。
解决方案2
2 2011-09-23 12:59:39
Only superuser can change uid whenever it feels like it, just adding the user to the root group is not enough. 只有超级用户可以随时更改uid,只是将用户添加到根组是不够的。
setuid(2) for example mentions: setuid(2)例如提到:
The setuid() system call is permitted if the specified ID is equal to the
real user ID or the effective user ID of the process, or if the effective
user ID is that of the super user.
On Linux, there's also: 在Linux上,还有:
Under Linux, setuid() is implemented like the POSIX version with the
_POSIX_SAVED_IDS feature. This allows a set-user-ID (other than root)
program to drop all of its user privileges, do some un-privileged work, and
then reengage the original effective user ID in a secure manner.
I don't even know if Python directly implements this, but it's not exactly what you want anyway. 我甚至不知道Python是否直接实现了这一点,但它并不完全是你想要的。
So the short answer is: Start the initial process as root. 简而言之就是:以root身份启动初始流程。
If you're worried about security, start two processes, one as root, one as non-privileged user, and have the non-privileged process communicate with the root process with a socket. 如果您担心安全性,请启动两个进程,一个作为root用户,一个作为非特权用户,并让非特权进程通过套接字与root进程通信。 This is a more advanced setup though... 这是一个更先进的设置,但......
解决方案3
0 2014-07-23 12:55:44
you also use setuid permission . 你也使用setuid权限。 That is give , 那是给的,
chmod 4755 script.py
Now even from normal user if you execute the program it will switch as that particular use. 现在,即使是普通用户,如果执行程序,它也将切换为特定用途。 You won't get any permission issues . 您不会收到任何权限问题。
解决方案4
0 2011-09-23 12:59:49
OSError: [Errno 1] Operation not permitted indicates the user who starts the script has insufficient privileges. OSError: [Errno 1] Operation not permitted表示启动脚本的用户没有足够的权限。 Being in the root group is not enough, it actually needs the CAP_SETUID capability. 在根组中是不够的,它实际上需要CAP_SETUID功能。
OSError: [Errno 13] Permission denied is probably an unrelated error. OSError: [Errno 13] Permission denied可能是一个无关的错误。 You should have a look at its stacktrace. 你应该看一下它的堆栈跟踪。
解决方案5
0 2011-09-23 13:00:07
The line 这条线
subprocess.Popen( shlex.split( "user_script.py" ) )
confuses me in manifold ways. 我以多种方式迷惑我。
- The
shlex.split()seems to be redundant, as there is nothing to split.shlex.split()似乎是多余的,因为没有什么可以拆分。 - Better put
Popen()'s parameter in a list.最好把Popen()的参数放在一个列表中。 - If
user_script.pyhas no execute permissions, even root cannot do that.如果user_script.py没有执行权限,那么即使root也不能这样做。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.