“Operation not permitted” while dropping privileges using setuid() function

问题:

Why this simple programs that use os.setuid()/gid() fails? Is written in python but I think that is not a language relative problem (at the end are all the same posix system call):

import os, pwd  if os.getenv("SUDO_UID") and os.getenv("SUDO_GID"):   orig_uid=int(os.getenv("SUDO_UID"))   orig_gid=int(os.getenv("SUDO_GID")) else:   pw = pwd.getpwnam("nobody")   orig_uid = pw.pw_uid   orig_gid = pw.pw_gid  print os.getuid(), os.getgid(), os.geteuid(), os.getegid(), orig_uid, orig_gid  os.setgid(orig_gid) os.setuid(orig_uid) 

It returns this exception:

$ sudo python provgid.py  0 0 0 0 1000 1000 Traceback (most recent call last):   File "provgid.py", line 15, in <module>     os.setgid(orig_gid) OSError: [Errno 1] Operation not permitted 

What is the error?

回答1:

Only the superuser or processes with the CAP_SETGID capability are allowed to set the GID. After the setuid() call, the effective UID isn't 0 any more, so you are not allowed to call setgid(). Try to reorder the two calls.

回答2:

I've fixed using this library

http://pypi.python.org/pypi/privilege/1.0

That securely drop privileges from root to another user.

文章来源: “Operation not permitted” while dropping privileges using setuid() function