How can I switch to another user within a perl script?


Y

yong

Hi all

I want to switch to another user in a perl script because I don't want
the script have permissions to operate some files.I added the function
"system('su another') " to the top of the script.When I run it the
script switch to the user "another",but it only give out a shell prompt
and don't do anything until I log out from account "another".

It there anyway else to switch to another user within a perl script?

Thanks.
 
Ad

Advertisements

A

Anno Siegel

Christian Winter said:
Assuming you are working under a true *nix OS, have a look at
"perldoc POSIX". You use its get/set methods for uid and gid
just like you would in a C application, i.e.
-------------------------------------------------------------
#!/usr/bin/perl

use strict;
use warnings;
use POSIX;

print "I'm still the initial user:$/";
system( "ps au | grep lalala );

setuid( 1000 ); # some user id from /etc/passwd
setgid( 65534 ); # nogroup

print "Now I should be user id 1000:$/";
system( "ps au | grep lalala );
-------------------------------------------------------------

You don't *have* to go to POSIX for that. The Perl variables $> and
$< provide similar functionality. setuid() is equivalent to assigning
to both $> and $<.

Anno

Anno
 
Y

yong

I set my uid and gid to nobody and nogroup in my script but the
ifconfig command is still could be used.It print all my network detail
in screen.

The script is like this:
===
use strict;
use Env;
use POSIX;

setgid(65534) or die "cannot switch to nogroup \n";
setuid(65534) or die "cannot switch to nobody \n";

print $ENV{USER}."\n";
system('ifconfig');
===

I don't want my script have permission to do this.What should I do?

Thanks
 
Y

yong

And I write another script like this:
---------------------------------------------------
use strict;
use Env;
use POSIX;

setgid(65534) or die "cannot switch to nogroup \n";
setuid(65534) or die "cannot switch to nobody \n";

open(my $fh,">/root/testfile.txt") or die "don't have permission";
print <$fh>."\n";

---------------------------------------------------
Then I set the permission of the file "/root/testfile.txt" to
"-rw-r----" because I don't want the script have permission to read
it.Then I run the script with root account.
But it didn't show "don't have permission" to me.It print the content
of the file successfully.Is the script still in root group after setuid
and setgid?How can I handle it?

Thanks
 
A

Anno Siegel

yong said:
And I write another script like this:
---------------------------------------------------
use strict;
use Env;
use POSIX;

setgid(65534) or die "cannot switch to nogroup \n";
setuid(65534) or die "cannot switch to nobody \n";

open(my $fh,">/root/testfile.txt") or die "don't have permission";
print <$fh>."\n";

---------------------------------------------------
Then I set the permission of the file "/root/testfile.txt" to
"-rw-r----" because I don't want the script have permission to read
it.Then I run the script with root account.
But it didn't show "don't have permission" to me.It print the content
of the file successfully.Is the script still in root group after setuid
and setgid?How can I handle it.

Try a file with no group permissions.

Anno
 
C

chris-usenet

yong said:
I set my uid and gid to nobody and nogroup in my script but the
ifconfig command is still could be used.It print all my network detail
in screen.

Of course it does: that's the correct behavour for "ifconfig". Try it
outside perl first.

setgid(65534) or die "cannot switch to nogroup \n";
setuid(65534) or die "cannot switch to nobody \n";

Might be useful to report the underlying reason why these should fail
(assuming they do fail - which in your case they probably don't). For
example,

die "Cannot switch to nogroup ($!)\n";

system('ifconfig');
I don't want my script have permission to do this.What should I do?

Tricky. Apply a system-specific ACL to ifconfig so that "nobody"
doesn't have execute permission?

Chris
 
Ad

Advertisements

P

Paul Lalli

yong said:
And I write another script like this:
---------------------------------------------------
use strict;
use Env;
use POSIX;

setgid(65534) or die "cannot switch to nogroup \n";
setuid(65534) or die "cannot switch to nobody \n";

open(my $fh,">/root/testfile.txt") or die "don't have permission";
print <$fh>."\n";

---------------------------------------------------
Then I set the permission of the file "/root/testfile.txt" to
"-rw-r----" because I don't want the script have permission to read
it.Then I run the script with root account.
But it didn't show "don't have permission" to me.It print the content
of the file successfully.

That's a lie. The code above cannot possibly print any output. The
code above clobbers the file. The code then gives a warning saying
"Filehandle $fh opened only for output", if you were smart enough to
enable warnings.

If you want real help, post real code.

Paul Lalli
 
Y

yong

Sorry for that I paste the wrong code.Now I rewrite it.I wrote this
script only want to find a way to switch to another account within a
perl script.

The permision of the test file "/root/work/testfile.txt" is
"-rw-r-----" and the is owned by root.The account 'nobody' in
/etc/passwd is :

nobody:x:65534:65534:nobody:nonexistent:/bin/sh

Then I ran the follow script with root account:
----------------------------------
use strict;
use POSIX;

setuid(65534) or die "fail to switch to account nobody($!)\n";

open(my $fh,"/root/work/testfile.txt") or die "could not open
file.($!)\n";

print <$fh>."\n";
while(1) { }

-----------------------------------------

when the while() loop begins I type 'ps aux' and found that the user
name which own the process is 'nobody',But it still have permission to
read the file.Is it still stay in root group?Can anybody tell me how to
let the script have the right permission?

Thanks

--yong
 
Ad

Advertisements

A

Anno Siegel

yong said:
Sorry for that I paste the wrong code.Now I rewrite it.I wrote this
script only want to find a way to switch to another account within a
perl script.

The permision of the test file "/root/work/testfile.txt" is
"-rw-r-----" and the is owned by root.The account 'nobody' in
/etc/passwd is :

nobody:x:65534:65534:nobody:nonexistent:/bin/sh

Then I ran the follow script with root account:
----------------------------------
use strict;
use POSIX;

setuid(65534) or die "fail to switch to account nobody($!)\n";

open(my $fh,"/root/work/testfile.txt") or die "could not open
file.($!)\n";

print <$fh>."\n";
while(1) { }

-----------------------------------------

when the while() loop begins I type 'ps aux' and found that the user
name which own the process is 'nobody',But it still have permission to
read the file.Is it still stay in root group?Can anybody tell me how to
let the script have the right permission?

Of course you stay in root's group, you haven't changed it. That's
what setgid is for.

But that still doesn't get rid of the secondary groups (traditionally
set in /etc/group). Root tends to have a few of those. My Linux has
setgroups() to change them, but that isn't in POSIX, and Perl has no
interface to it.

This is a Unix question, for authoritive answers you'd best ask in
a Unix group.

Anno
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top