问题
Why this simple programs that use os.setuid()/gid() fails? Is written in python but I think that is not a language relative problem (at the end are all the same posix system call):
import os, pwd
if os.getenv("SUDO_UID") and os.getenv("SUDO_GID"):
  orig_uid=int(os.getenv("SUDO_UID"))
  orig_gid=int(os.getenv("SUDO_GID"))
else:
  pw = pwd.getpwnam("nobody")
  orig_uid = pw.pw_uid
  orig_gid = pw.pw_gid
print os.getuid(), os.getgid(), os.geteuid(), os.getegid(), orig_uid, orig_gid
os.setgid(orig_gid)
os.setuid(orig_uid)
It returns this exception:
$ sudo python provgid.py 
0 0 0 0 1000 1000
Traceback (most recent call last):
  File "provgid.py", line 15, in <module>
    os.setgid(orig_gid)
OSError: [Errno 1] Operation not permitted
What is the error?
回答1:
Only the superuser or processes with the CAP_SETGID capability are allowed to set the GID.  After the setuid() call, the effective UID isn't 0 any more, so you are not allowed to call setgid().  Try to reorder the two calls.
回答2:
I've fixed using this library
http://pypi.python.org/pypi/privilege/1.0
That securely drop privileges from root to another user.
来源:https://stackoverflow.com/questions/4692720/operation-not-permitted-while-dropping-privileges-using-setuid-function