即使在 seteuid 之后,也不能在 python 中删除 Root priv。一个错误?
编辑摘要:我忘了放弃 gid。不过,接受的答案可能会对您有所帮助。
你好。我无法在我的 linux 上删除 python 3.2 中的 root 权限。事实上,即使在 seteuid(1000) 之后,它也可以读取 root 拥有的 400 模式文件。euid肯定设置为1000!
我发现空 os.fork() 调用后,特权访问被正确拒绝。(但它只是在父母。孩子仍然可以非法阅读。)是python中的错误,还是linux如此?
试试下面的代码。注释掉底部的三行之一,并以 root 身份运行。
预先感谢。
#!/usr/bin/python3
# Python seteuid pitfall example.
# Run this __as__ the root.
# Here, access to root-owned files /etc/sudoers and /etc/group- are tried.
# Simple access to them *succeeds* even after seteuid(1000) which should fail.
# Three functions, stillRoot(), forkCase() and workAround() are defined.
# The first two seem wrong. In the last one, access fails, as desired.
# ***Comment out*** one of three lines at the bottom before execution.
# If your python is < 3.2, comment out the entire def of forkCase()
import os
def stillRoot():
"""Open succeeds, but it should fail."""
os.seteuid(1000)
open('/etc/sudoers').close()
def forkCase():
"""Child can still open it. Wow."""
# setresuid needs python 3.2
os.setresuid(1000, 1000, 0)
pid = os.fork()
if pid == 0:
# They're surely 1000, not 0!
print('uid: ', os.getuid(), 'euid: ', os.geteuid())
open('/etc/sudoers').close()
print('open succeeded in child.')
exit()
else:
print('child pid: ', pid)
open('/etc/group-').close()
print('parent succeeded to open.')
def workAround():
"""So, a dummy fork after seteuid is necessary?"""
os.seteuid(1000)
pid = os.fork()
if pid == 0:
exit(0)
else:
os.wait()
open('/etc/group-').close()
## Run one of them.
# stillRoot()
# forkCase()
# workAround()