J
John Carter
I wanted to reliably temporarily or permanently drop privileges from
Ruby so I tried porting the code in ...
http://www.cs.berkeley.edu/~daw/papers/setuid-usenix02.pdf
But rapidly found that...
a) They strongly recommend you use setresuid/getresuid
b) Ruby strangely enough has setresuid but not getresuid.
Any idea why?
Anyhoo, here is a crude sudo based hack around...
module Privilege
def Privilege::drop_privilege_temporarily(&block)
# Doesn't look like we've been sudone... So do nothing...
if ENV.has_key? "SUDO_UID"
block.call
return
end
sudo_uid = ENV["SUDO_UID"].to_i
current_uid = Process::Sys::geteuid
begin
Process::Sys::seteuid( sudo_uid)
block.call
ensure
Process::Sys::seteuid( current_uid)
end
end
end
# p Process::Sys::geteuid
#
#
# Privilege::drop_privilege_temporarily do
# p Process::Sys::geteuid
# end
#
# p Process::Sys::geteuid
#
John Carter Phone : (64)(3) 358 6639
Tait Electronics Fax : (64)(3) 359 4632
PO Box 1645 Christchurch Email : (e-mail address removed)
New Zealand
Ruby so I tried porting the code in ...
http://www.cs.berkeley.edu/~daw/papers/setuid-usenix02.pdf
But rapidly found that...
a) They strongly recommend you use setresuid/getresuid
b) Ruby strangely enough has setresuid but not getresuid.
Any idea why?
Anyhoo, here is a crude sudo based hack around...
module Privilege
def Privilege::drop_privilege_temporarily(&block)
# Doesn't look like we've been sudone... So do nothing...
if ENV.has_key? "SUDO_UID"
block.call
return
end
sudo_uid = ENV["SUDO_UID"].to_i
current_uid = Process::Sys::geteuid
begin
Process::Sys::seteuid( sudo_uid)
block.call
ensure
Process::Sys::seteuid( current_uid)
end
end
end
# p Process::Sys::geteuid
#
#
# Privilege::drop_privilege_temporarily do
# p Process::Sys::geteuid
# end
#
# p Process::Sys::geteuid
#
John Carter Phone : (64)(3) 358 6639
Tait Electronics Fax : (64)(3) 359 4632
PO Box 1645 Christchurch Email : (e-mail address removed)
New Zealand