[Tutor] os.setuid(euid) function

Danny Yoo dyoo@hkn.eecs.berkeley.edu
Mon Dec 2 03:01:04 2002 

On Mon, 2 Dec 2002, Kirk Bailey wrote:

> Then I have the pleasure of reporting a typo in the documentation.
>
> Beyond that, when in my server, I ran python, and indeed os.getuid()
> works fine, and WHEN SUPERUSER setuid(990) (which is my non su id)
> worked fine. But when I was NOT su, and did os.setuid(0), it said
> 'operation not permitted'. And this is EXACTLY what I want the thing to
> do- assume a priviliged identity to go change essencial files in the
> mail system.
>
> The executable is python, and it is owned by root. If I turn on the 4000
> bit it should execute as root ALWAYS, unless it has tricks of it's own
> to let it assume a nonpriviliged identity.


Hi Kirk,

Ah!  The setuid bit interacts --- or, more precisely, doesn't interact ---
with Python scripts.  That is, your operating system is mostly likely not
obeying the request to run the Python script using the setuid bit, for
security reasons.  This isn't limited to Python: all scripts are limited
in this way for protection against a potentially dangerous security hole.


You may have missed my original reply from November 21, so I'll forward it
to you again:

----

On Thu, 21 Nov 2002, Kirk Bailey wrote:

> This is driving me nuts. Well, nuts-er.
> Sayth the error log:
> IOError: [Errno 13] Permission denied: '/etc/mail/aliases.tmp'
> Traceback (innermost last):
>    File "/www/www.tinylist.org/cgi-bin/TLlistkill2.py", line 181, in ?
>      os.remove('./lists/' + mylist + '.*') # remove ALL files starting
with
> the name (mylist) and ANY name extension- but don't get a hissy fit if
there
> are none!
> OSError: [Errno 2] No such file or directory: './lists/testlist3.*'
>
> hmmm...
>
> The script is owned by root. The 4000 bit is set, so the script OUGHT to
> run as the ownening identity -root.


You're talking about the sticky bit, right?  If so, then that might be the
result of security tightening on your Unix system:

    http://www.oreillynet.com/pub/faqs/linux_faq_AEN2090
    http://www.faqs.org/faqs/unix-faq/faq/part4/section-7.html

If you want to run a certain script with elevated privileges, you may want
to use the 'sudo' command instead rather than depend on the setuid bit.