Running CGIs under my uid - going slowly insane.
Donn Cave
donn at u.washington.edu
Fri Feb 1 13:09:43 EST 2002
Quoth Jonathan Hogg <jonathan at onegoodidea.com>:
| On 1/2/2002 9:37, in article 4b4c5d99.0202010136.8e6ff51 at posting.google.com,
| "pawn" <NOSpawnPAM at lightspawn.org> wrote:
|> I need my Python CGIs to run scripts under my own uid, since they read
|> and update .html files which are core to the site.
|>
| [...]
|>
|> * Switch back to perl which respects 04755 permissions.
|
| I don't think the lack of respect for setuid permissions is anything to do
| with Python I'm afraid. Quick test on my machine:
|
| -----
| % cat > test.py
| #! /usr/bin/python
|
| import os
|
| print os.geteuid(), os.getegid()
| ^D
| % chmod 755 test.py
| % ./test.py
| 501 20
| % sudo chown 71:71 test.py
| % ./test.py
| 501 20
| % sudo chmod 4775 test.py
| % ./test.py
| 71 20
| % sudo chmod 6775 test.py
| % ./test.py
| 71 71
| -----
Can I ask what operating system that experiment was performed on?
...
| Note that setting an executable's setuid bit will change the "effective" uid
| of the resulting process, not the uid (see 'os.get*e*uid()' above). This
| means that the process may use that user's permissions.
That's true, but "executable" in this context usually means the binary,
i.e., python itself. Years ago, some UNIX platforms introduced a hack
that made setuid effective for script files, but today that is universally
recognized to have been misguided. That's why I'm curious about yours.
Perl is subject to the same limitation, but has optional support for
setuid. How can that be? I'm no Perl whiz, but I assume you install
perl itself setuid root, and then it checks its input file for setuid
and either sets its ID accordingly or reverts to the invoker's ID.
This option is not the default and is rather discouraged as I recall it.
Donn Cave, donn at u.washington.edu
More information about the Python-list
mailing list