开发者

setfsuid() and python 2.5.4

I'm trying to use setfsuid() with python 2.5.4 and RHEL 5.4. Since it's not included in the os module, I wrapped it in a C module of my own and installed it as a python extension module using distutils.

However when I try to use it I don't get the expected result. setfsuid() returns value indicating success (changing from a superuser), but I can't access files to which only the newly set user should have user access (using open()), indicating that fsuid was not truely changed.

I tried to verif开发者_如何学Goy setfsuid() worked, by running it consecutively twice with the same user input The result was as if nothing had changed, and on every call the returned value was of old user id different from the new one. I also called getpid() from the module, and from the python script, both returned the same id. so this is not the problem.

Just in case it's significant, I should note that I'm doing all of this from within an Apache daemon process (WSGI).

Anyone can provide an explanation to that? Thank you


The ability to change the FSUID is limited to either root or non-root processes with the CAP_SETFCAP capability. These days it's usually considered bad practice to run a webserver with root permissions so, most likely, you'll need to set the capability on the file server (see man capabilities for details). Please note that doing this could severly affect your overall system's security. I'd recommend considering spawning a small backend process that runs as root and converses with your WSGI app via a local UNIX socket prior to mucking with the security of a high-profile target like Apache.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜