On Tue, Apr 16, 2002 at 11:30:08AM +0200, walter valenti wrote:
> Hi,
> i've got a demon i perl that start from root.
>
> I would like that after the starting (when starts, does some operation
> like root), it swiches like other user with low privileges (es. like
> Apache, starts from root and swiches at www-data).
>
> I'm trying the POSIX module, using the function: POSIX::setuid, and
> POSIX::setgid but nothing.
You don't need the POSIX module, perl can do this on its own.
If you take a look at 'perldoc perlvar' and search for UID, you find the
following:
---------- snip ----------
$REAL_USER_ID
$UID
$< The real uid of this process. (Mnemonic: it's the
uid you came from, if you're running setuid.)
---------- snip ----------
What you really should change is the 'Effective User ID':
---------- snip ----------
$EFFECTIVE_USER_ID
$EUID
$>
...
(Mnemonic: it's the uid you went to, if you're
running setuid.) $< and $> can be swapped only on
machines supporting setreuid().
---------- snip ----------
Try the following code snippet:
---------- snip ----------
#!/usr/bin/perl
use strict;
use warnings;
$|++;
use constant USER => 'nobody';
use constant GROUP => 'nogroup';
my $uid = getpwnam(USER);
my $gid = getgrnam(GROUP);
print "Started as $<:$( / $>:$)\n";
$> = $uid;
$) = $gid;
print "Changed to $<:$( / $>:$)\n";
while (1) {
print "Still alive...\n";
sleep 10;
}
---------- snip ----------
Here's my session with the code:
---------- snip ----------
nijushiho:~# ./snippet &
[3] 5313
nijushiho:~# Started as 0:0 105 0 / 0:0 105 0
Changed to 0:0 105 0 / 65534:0 105 0
Still alive...
Still alive...
ps -aef | grep snippet
nobody 5313 5114 0 13:23 pts/1 00:00:00 /usr/bin/perl ./snippet
root 5315 5114 0 13:24 pts/1 00:00:00 grep snippet
nijushiho:~# kill %3
nijushiho:~#
[3]+ Terminated ./snippet
nijushiho:~#
---------- snip ----------
As you can see, 'snippet' ran as user 'nobody'.
Remember that you need to have appropriate permissions to switch users
(speak you need to be root).
Read Stevens' "Advanced Programming in the Unix Environment" for *all*
the information about this kind of topics.
Ask if you need to know more...
--
If we fail, we will lose the war.
Michael Lamertz | +49 221 445420 / +49 171 6900 310
Nordstr. 49 | [EMAIL PROTECTED]
50733 Cologne | http://www.lamertz.net
Germany | http://www.perl-ronin.de
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
