[Twisted-Python] Re: Switch to a different uid/gid after binding reserved ports

Martin Armstrong martin at tactilis.co.uk
Tue Jun 17 13:59:07 MDT 2003 

In article <20030609123300.GC29930 at mercury.local.net>, W.J. 
<miathan at goliath.darktech.org> writes


In article <76ADB8C376C3D31193F50008C7E6D3B2F3E15E at EWHKA005>,
Richard.Townsend at edl.uk.eds.com writes

>> I have now had a chance to test this on HP-UX11i and have discovered a
>> problem.
>>  The code for Application.setUID() calls os.getgid() expecting it to
>> return 0

>Why on earth would you want to check or enforce someone is in group 0? 
>Being in group 0 doesn't have any 'magic' like uid 0 has, well, it 
>might have on some operating systems, but it's not a portable way.

>Some unices don't even have a special *user* ID 0 but have security 
>based on process privileges. You shouldn't assume setuid or setgid to 
>fail/succeed based on those numbers.

>IMO the best way is to just try to setuid/setgid if requested, if it is 
>not allowed you'll get an EPERM soon enough anyway.


Wladimir is correct.

Here's a patch (already tested by Richard) that provides the correct 
behaviour:



/usr/local/src/Twisted/twisted/internet: cvs diff app.py
Index: app.py
===================================================================
RCS file: /cvs/Twisted/twisted/internet/app.py,v
retrieving revision 1.97
diff -r1.97 app.py

695,699c695,701
<         if hasattr(os, 'getgid'):
<             if not os.getgid():
<                 os.setegid(self.gid)
<                 os.seteuid(self.uid)
<                 log.msg('set euid/egid %s/%s' % (self.uid, self.gid))
---
>         try:
>             os.setegid(self.gid)
>             os.seteuid(self.uid)
>         except (AttributeError, OSError):
>             pass
>         else:
>             log.msg('set euid/egid %s/%s' % (self.uid, self.gid))

704,708c706,712
<         if hasattr(os, 'getgid'):
<             if not os.getgid():
<                 os.setgid(self.gid)
<                 os.setuid(self.uid)
<                 log.msg('set uid/gid %s/%s' % (self.uid, self.gid))
---
>         try:
>             os.setgid(self.gid)
>             os.setuid(self.uid)
>         except (AttributeError, OSError):
>             pass
>         else:
>             log.msg('set uid/gid %s/%s' % (self.uid, self.gid))


-- 
Martin Armstrong                        <mailto:martin at tactilis.co.uk>

More information about the Twisted-Python mailing list