0

FYI:

mydir/            userA:mygroup  rwxrwxr-x
mydir/test.py     userA:mygroup  rwxr-xr-x

userB    gid=xxx(mygroup)

In test.py:

uid = pwd.getpwnam('mysql')[2]
os.setuid(uid)
os.system('id')
os.system('touch myfile')

Log in as userA, execute:

> cd mydir/
> sudo ./test.py
uid=xxxx(userB) gid=0(root) groups=xxxx(mygroup),0(root)
touch: cannot touch 'myfile': Permission denied

It seems setuid is done, but still cannot create file in mydir/ with group-writable permission. Could you tell me why?

To be more precise, I would like to simulate mysqld or nginx. A 'user' can be specified in their conf file. The service can be started by sudo service mysql start, but runs under account 'mysql'.

EDITED: I found the problem. In test.py, setgid should be also be called, otherwise current group is root which has no permission to write into mydir/

ShenLei
  • 567
  • 1
  • 5
  • 17
  • Do you have group execute permission as well on `mydir`? – Bhargav Rao Feb 07 '15 at 10:09
  • why do you need set anything when running with sudo? – Padraic Cunningham Feb 07 '15 at 10:09
  • @Bhargav Rao mydir/ is group executable. – ShenLei Feb 07 '15 at 10:13
  • @Padraic Cunningham, because ./test.py will start service, I want it runs as userB. There are multiple accounts have right to start/stop this service. One way to achieve this is to use 'sudo ./test.py' that start with root but suddenly change to userB. – ShenLei Feb 07 '15 at 10:18
  • I think if your running as sudo, then you need to just touch the file. Don't set a uid again coz its already set unless your trying to emulate another user from sudo level – Zuko Feb 07 '15 at 10:19
  • @Olu Doug If touch in sudo without setuid, it will create a process owned by root. This is dangerous. I would like to run it only as userB. – ShenLei Feb 07 '15 at 10:38

0 Answers0