How can I switch to another user within a perl script?

Discussion in 'Perl Misc' started by yong, Jan 19, 2006.

  1. yong

    yong Guest

    Hi all

    I want to switch to another user in a perl script because I don't want
    the script have permissions to operate some files.I added the function
    "system('su another') " to the top of the script.When I run it the
    script switch to the user "another",but it only give out a shell prompt
    and don't do anything until I log out from account "another".

    It there anyway else to switch to another user within a perl script?

    Thanks.
     
    yong, Jan 19, 2006
    #1
    1. Advertising

  2. yong

    Anno Siegel Guest

    Christian Winter <> wrote in comp.lang.perl.misc:
    > yong wrote:
    > > Hi all
    > >
    > > I want to switch to another user in a perl script because I don't want
    > > the script have permissions to operate some files.I added the function
    > > "system('su another') " to the top of the script.When I run it the
    > > script switch to the user "another",but it only give out a shell prompt
    > > and don't do anything until I log out from account "another".
    > >
    > > It there anyway else to switch to another user within a perl script?

    >
    > Assuming you are working under a true *nix OS, have a look at
    > "perldoc POSIX". You use its get/set methods for uid and gid
    > just like you would in a C application, i.e.
    > -------------------------------------------------------------
    > #!/usr/bin/perl
    >
    > use strict;
    > use warnings;
    > use POSIX;
    >
    > print "I'm still the initial user:$/";
    > system( "ps au | grep lalala );
    >
    > setuid( 1000 ); # some user id from /etc/passwd
    > setgid( 65534 ); # nogroup
    >
    > print "Now I should be user id 1000:$/";
    > system( "ps au | grep lalala );
    > -------------------------------------------------------------


    You don't *have* to go to POSIX for that. The Perl variables $> and
    $< provide similar functionality. setuid() is equivalent to assigning
    to both $> and $<.

    Anno

    Anno
    --
    If you want to post a followup via groups.google.com, don't use
    the broken "Reply" link at the bottom of the article. Click on
    "show options" at the top of the article, then click on the
    "Reply" at the bottom of the article headers.
     
    Anno Siegel, Jan 19, 2006
    #2
    1. Advertising

  3. yong

    yong Guest

    I set my uid and gid to nobody and nogroup in my script but the
    ifconfig command is still could be used.It print all my network detail
    in screen.

    The script is like this:
    ===
    use strict;
    use Env;
    use POSIX;

    setgid(65534) or die "cannot switch to nogroup \n";
    setuid(65534) or die "cannot switch to nobody \n";

    print $ENV{USER}."\n";
    system('ifconfig');
    ===

    I don't want my script have permission to do this.What should I do?

    Thanks
     
    yong, Jan 20, 2006
    #3
  4. yong

    yong Guest

    And I write another script like this:
    ---------------------------------------------------
    use strict;
    use Env;
    use POSIX;

    setgid(65534) or die "cannot switch to nogroup \n";
    setuid(65534) or die "cannot switch to nobody \n";

    open(my $fh,">/root/testfile.txt") or die "don't have permission";
    print <$fh>."\n";

    ---------------------------------------------------
    Then I set the permission of the file "/root/testfile.txt" to
    "-rw-r----" because I don't want the script have permission to read
    it.Then I run the script with root account.
    But it didn't show "don't have permission" to me.It print the content
    of the file successfully.Is the script still in root group after setuid
    and setgid?How can I handle it?

    Thanks
     
    yong, Jan 20, 2006
    #4
  5. yong

    Anno Siegel Guest

    yong <> wrote in comp.lang.perl.misc:
    > And I write another script like this:
    > ---------------------------------------------------
    > use strict;
    > use Env;
    > use POSIX;
    >
    > setgid(65534) or die "cannot switch to nogroup \n";
    > setuid(65534) or die "cannot switch to nobody \n";
    >
    > open(my $fh,">/root/testfile.txt") or die "don't have permission";
    > print <$fh>."\n";
    >
    > ---------------------------------------------------
    > Then I set the permission of the file "/root/testfile.txt" to
    > "-rw-r----" because I don't want the script have permission to read
    > it.Then I run the script with root account.
    > But it didn't show "don't have permission" to me.It print the content
    > of the file successfully.Is the script still in root group after setuid
    > and setgid?How can I handle it.


    Try a file with no group permissions.

    Anno
    --
    If you want to post a followup via groups.google.com, don't use
    the broken "Reply" link at the bottom of the article. Click on
    "show options" at the top of the article, then click on the
    "Reply" at the bottom of the article headers.
     
    Anno Siegel, Jan 20, 2006
    #5
  6. yong

    Guest

    yong <> wrote:
    > I set my uid and gid to nobody and nogroup in my script but the
    > ifconfig command is still could be used.It print all my network detail
    > in screen.


    Of course it does: that's the correct behavour for "ifconfig". Try it
    outside perl first.


    > setgid(65534) or die "cannot switch to nogroup \n";
    > setuid(65534) or die "cannot switch to nobody \n";


    Might be useful to report the underlying reason why these should fail
    (assuming they do fail - which in your case they probably don't). For
    example,

    die "Cannot switch to nogroup ($!)\n";


    > system('ifconfig');
    > I don't want my script have permission to do this.What should I do?


    Tricky. Apply a system-specific ACL to ifconfig so that "nobody"
    doesn't have execute permission?

    Chris
     
    , Jan 20, 2006
    #6
  7. yong

    Paul Lalli Guest

    yong wrote:
    > And I write another script like this:
    > ---------------------------------------------------
    > use strict;
    > use Env;
    > use POSIX;
    >
    > setgid(65534) or die "cannot switch to nogroup \n";
    > setuid(65534) or die "cannot switch to nobody \n";
    >
    > open(my $fh,">/root/testfile.txt") or die "don't have permission";
    > print <$fh>."\n";
    >
    > ---------------------------------------------------
    > Then I set the permission of the file "/root/testfile.txt" to
    > "-rw-r----" because I don't want the script have permission to read
    > it.Then I run the script with root account.
    > But it didn't show "don't have permission" to me.It print the content
    > of the file successfully.


    That's a lie. The code above cannot possibly print any output. The
    code above clobbers the file. The code then gives a warning saying
    "Filehandle $fh opened only for output", if you were smart enough to
    enable warnings.

    If you want real help, post real code.

    Paul Lalli
     
    Paul Lalli, Jan 20, 2006
    #7
  8. yong

    yong Guest

    Sorry for that I paste the wrong code.Now I rewrite it.I wrote this
    script only want to find a way to switch to another account within a
    perl script.

    The permision of the test file "/root/work/testfile.txt" is
    "-rw-r-----" and the is owned by root.The account 'nobody' in
    /etc/passwd is :

    nobody:x:65534:65534:nobody:nonexistent:/bin/sh

    Then I ran the follow script with root account:
    ----------------------------------
    use strict;
    use POSIX;

    setuid(65534) or die "fail to switch to account nobody($!)\n";

    open(my $fh,"/root/work/testfile.txt") or die "could not open
    file.($!)\n";

    print <$fh>."\n";
    while(1) { }

    -----------------------------------------

    when the while() loop begins I type 'ps aux' and found that the user
    name which own the process is 'nobody',But it still have permission to
    read the file.Is it still stay in root group?Can anybody tell me how to
    let the script have the right permission?

    Thanks

    --yong
     
    yong, Jan 20, 2006
    #8
  9. yong

    Anno Siegel Guest

    yong <> wrote in comp.lang.perl.misc:
    > Sorry for that I paste the wrong code.Now I rewrite it.I wrote this
    > script only want to find a way to switch to another account within a
    > perl script.
    >
    > The permision of the test file "/root/work/testfile.txt" is
    > "-rw-r-----" and the is owned by root.The account 'nobody' in
    > /etc/passwd is :
    >
    > nobody:x:65534:65534:nobody:nonexistent:/bin/sh
    >
    > Then I ran the follow script with root account:
    > ----------------------------------
    > use strict;
    > use POSIX;
    >
    > setuid(65534) or die "fail to switch to account nobody($!)\n";
    >
    > open(my $fh,"/root/work/testfile.txt") or die "could not open
    > file.($!)\n";
    >
    > print <$fh>."\n";
    > while(1) { }
    >
    > -----------------------------------------
    >
    > when the while() loop begins I type 'ps aux' and found that the user
    > name which own the process is 'nobody',But it still have permission to
    > read the file.Is it still stay in root group?Can anybody tell me how to
    > let the script have the right permission?


    Of course you stay in root's group, you haven't changed it. That's
    what setgid is for.

    But that still doesn't get rid of the secondary groups (traditionally
    set in /etc/group). Root tends to have a few of those. My Linux has
    setgroups() to change them, but that isn't in POSIX, and Perl has no
    interface to it.

    This is a Unix question, for authoritive answers you'd best ask in
    a Unix group.

    Anno
    --
    If you want to post a followup via groups.google.com, don't use
    the broken "Reply" link at the bottom of the article. Click on
    "show options" at the top of the article, then click on the
    "Reply" at the bottom of the article headers.
     
    Anno Siegel, Jan 20, 2006
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Wet Basement
    Replies:
    1
    Views:
    2,541
    BobMonk
    Jul 15, 2003
  2. Petterson Mikael

    Execute another perl script from my perl script

    Petterson Mikael, Jan 5, 2005, in forum: Perl Misc
    Replies:
    3
    Views:
    147
    Paul Lalli
    Jan 5, 2005
  3. Replies:
    20
    Views:
    773
    Gunnar Hjalmarsson
    Jan 18, 2005
  4. Replies:
    4
    Views:
    303
    ccc31807
    Jul 29, 2011
  5. Switch Within A Switch

    , Apr 22, 2006, in forum: Javascript
    Replies:
    7
    Views:
    115
    Lasse Reichstein Nielsen
    Apr 22, 2006
Loading...

Share This Page