Re: change process's effective uid

in reply to change process's effective uid

Ahh yes. Wise question Anonymous One. Perl is far beyond using function calls for this. Why use function calls when we have variables like $< and $> ?!?!

$< or $UID
"The real user ID of this process."

$>
$EUID
"The effective uid of this process"

Thus speaks the Holy Camel Book of Knowledge Light of the World.
so...

$< = $>   #set real to effective uid
($<,$>) = ($>,$<);   #swap real and effective uid
[download]

Obviously, these require you to be running setuid.Go and rejoice in your new learning.
---
crulx
crulx@iaxs.net

Comment on Re: change process's effective uid Download Code

Replies are listed 'Best First'.
Re: Re: change process's effective uid by sierrathedog04 (Hermit) on Feb 11, 2001 at 00:28 UTC
My related question is when it is ever safe to use suid to change the user id of an Apache Perl CGI script to a user with some administrative privileges. I want to use Lincoln Stein's user_manage Perl module to allow Apache users to remotely change their own passwords. Stein provides some different ways to do it. One way involves: Designate a directory that will hold the various password and group files, for example /etc/httpd/security. Make it owned and writable by a specially-designated "web administrator" account, for example "www". Now, running as root, change the ownership of user_manage to "www" and set its "s" bit: Is there any danger in doing so? My concern is that the user_manage documentation may be assuming that "everyone knows" not to engage in a particular coding practice when running suid, but I am still a beginner (<1 year Perl/Unix) and I don't know. I intend to use CGI.pm param() to parse the form variables after they are submitted, and I intend to avoid doing foolish things like my $form_variable = param("form_variable"); `form_variable`; [download] I also will prevent users from uploading form variables which contain values other than letters and numbers. Just to be safe, I may also ban words like 'eval' and 'system' from form variables along with parentheses and backticks.	[reply] [d/l]

Replies are listed 'Best First'.

Re: Re: change process's effective uid
by sierrathedog04 (Hermit) on Feb 11, 2001 at 00:28 UTC

I want to use Lincoln Stein's user_manage Perl module to allow Apache users to remotely change their own passwords. Stein provides some different ways to do it. One way involves:

Designate a directory that will hold the various password and group files, for example /etc/httpd/security. Make it owned and writable by a specially-designated "web administrator" account, for example "www". Now, running as root, change the ownership of user_manage to "www" and set its "s" bit:

my $form_variable = param("form_variable");
`form_variable`;
[download]

I also will prevent users from uploading form variables which contain values other than letters and numbers. Just to be safe, I may also ban words like 'eval' and 'system' from form variables along with parentheses and backticks.

[reply]
[d/l]

In Section Seekers of Perl Wisdom