Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork32k
Open
Description
#!/usr/bin/python3fromosimportgetresuid,initgroups,setresgid,setresuidfrompwdimportgetpwnamfromsubprocessimportcheck_calldefdrop_permissions():user='nobody'info=getpwnam(user)uid=info.pw_uidgid=info.pw_gidassertuidassertgidinitgroups(user,gid)setresgid(gid,gid,gid)setresuid(uid,uid,0)defrun_privileged_proc():defrestore():setresuid(0,0,0)setresgid(0,0,0)initgroups('root',0)check_call(['id'],preexec_fn=restore)defmain():assertgetresuid()== (0,0,0)# This on works (dropping permissions in child process)check_call(['id'],user=65534,group=65534)drop_permissions()# This one works:run_privileged_proc()# This does not:check_call(['id'],user=0,group=0)main()
for the last subprocess,strace of child process:
set_robust_list(0x7eff7bfaea20, 24) = 0close(7) = 0close(9) = 0close(11) = 0dup2(6, 0) = 0dup2(8, 1) = 1dup2(10, 2) = 2rt_sigaction(SIGPIPE, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK, sa_restorer=0x7eff7b83ea30}, {sart_sigaction(SIGXFSZ, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK, sa_restorer=0x7eff7b83ea30}, {sasetgroups(0, []) = -1 EPERM (Операция не позволена)write(12, "OSError:", 8) = 8write(12, "1", 1) = 1write(12, ":", 1) = 1write(12, "noexec", 6) = 6exit_group(255) = ?+++ exited with 255 +++Python 3.10.7