Beefy Boxes and Bandwidth Generously Provided by pair Networks
Do you know where your variables are?
 
PerlMonks  

getcwd() as different user

by 0xbeef (Hermit)
on Nov 18, 2005 at 21:26 UTC ( #509961=perlquestion: print w/replies, xml ) Need Help??

0xbeef has asked for the wisdom of the Perl Monks concerning the following question:

I have a script which runs as root, since it collects system info for healthchecks.

I'd like to run getcwd() on AIX as a different user than root, as a test for underlying mount-point permission problems.(getcwd returns undef if it cannot access the original mount-point)

I have tried doing "$> = $< = $newuid", but I get "Operation not permitted". This is the case even if I try to use a binary wrapper to try avoid the problem where the O/S prevents setuid scripts.

Any ideas, other than seperating the task entirely (which seems like a bad idea, security-wise) e.g.

system("su - user -c /mycode/getcwd($targetdir)")?

-oxbeef

Replies are listed 'Best First'.
Re: getcwd() as different user
by pileofrogs (Priest) on Nov 18, 2005 at 21:59 UTC
    Do you get the 'Operation not permitted' error when you're setting your uid or when you're running getcwd? This code works on my Linux box
    #! /usr/bin/perl -w -T use strict; use Cwd; $ENV{PATH} = "/usr/local/bin:/usr/bin:/bin"; delete($ENV{BASH_ENV}); #500 is my non-root uid that I want to test with; my $newuid = 500; unless ($< == 0 and $> == 0) { die "must be root"; } system('whoami'); print getcwd."\n"; $> = $< = $newuid ; system('whoami'); print getcwd."\n";
      Oh grief, I misinterpreted the error to be the result of the "$<" operation. The actual problem is the fact that my now lesser-privileged user is not authorised to perform the next "$< = $> = $newid" iteration.

      Hmm, my question should actually read: "How do I perform seteid()" or "How do I temporarily drop my privileges before calling a function? ". The obvious answer is $>. *hides in shame*

      -0xbeef

        If anyone's interested, here's a snippet with the basic working logic. Although the "id -G" portion is not the safest way of doing this, I just don't know how:

        my ($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size,$atime,$mtime,$ctime, +$blksize,$blocks) = stat($targetdir); $newuser = getpwuid($uid); $groups = `/usr/bin/id -G $newuser`; $) = "$groups"; $> = $uid; if ( not chdir("$targetdir")) { print "$targetdir is inaccessible to its owner\n"; next; } else { $currentdir = Cwd::getcwd(); my $lasterr = $!; if (not defined $currentdir) { # incorrect underlying mount-point permissions print "getcwd() failed for $targetdir:$lasterr\n"; } else { print "getcwd() for $over is OK."); } }
Re: getcwd() as different user
by ikegami (Patriarch) on Nov 18, 2005 at 21:35 UTC
    I don't know the answer, but I do know that
    system("su - user -c /mycode/getcwd $targetdir")
    is less secure than
    system('su', '-', 'user', '-c', '/mycode/getcwd', $targetdir)
    since the arguments are not succeptable to shell interpretation in the latter.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlquestion [id://509961]
Approved by Old_Gray_Bear
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others having an uproarious good time at the Monastery: (3)
As of 2022-07-03 23:28 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found

    Notices?