我们从Python开源项目中,提取了以下46个代码示例,用于说明如何使用os.setgroups()。
def _dropPrivileges(self, user, group): import pwd, grp # Get the uid/gid from the name runningUid = pwd.getpwnam(user).pw_uid runningGid = grp.getgrnam(group).gr_gid # Remove group privileges os.setgroups([]) # Try setting the new uid/gid os.setgid(runningGid) os.setuid(runningUid) # Reset logging self.resetLogging()
def drop_privileges(self, uid_name, gid_name): if os.getuid() != 0: # We're not root so, like, whatever dude self.logger.info("Not running as root. Cannot drop permissions.") return # Get the uid/gid from the name running_uid = pwd.getpwnam(uid_name).pw_uid running_gid = grp.getgrnam(gid_name).gr_gid # Remove group privileges os.setgroups([]) # Try setting the new uid/gid os.setgid(running_gid) os.setuid(running_uid) # Ensure a very conservative umask old_umask = os.umask(0o077) self.logger.info("Changed permissions to: %s: %i, %s, %i"%(uid_name, running_uid, gid_name, running_gid))
def setup_uid_manager(mockgid): unprivUid = os.getuid() unprivGid = os.getgid() # sudo if os.environ.get("SUDO_UID") is not None: unprivUid = int(os.environ['SUDO_UID']) os.setgroups((mockgid,)) unprivGid = int(os.environ['SUDO_GID']) # consolehelper if os.environ.get("USERHELPER_UID") is not None: unprivUid = int(os.environ['USERHELPER_UID']) os.setgroups((mockgid,)) unprivGid = pwd.getpwuid(unprivUid)[3] uidManager = mockbuild.uid.UidManager(unprivUid, unprivGid) return uidManager
def drop_privileges(uid_name='nobody'): """Drop root privileges.""" if os.getuid() != 0: # We're not root, nothing to do. return # Get the uid/gid from the name running_uid = pwd.getpwnam(uid_name).pw_uid # Remove group privileges os.setgroups([]) # Try setting the new uid/gid os.setuid(running_uid) # Ensure a very conservative umask os.umask(0o77) # TODO: probably redundant, as it will not have access to the # cred cache anyway. os.environ['KRB5CCNAME'] = 'FILE:/no_such_krbcc'
def drop_privileges(uid_name='nobody', gid_name='nogroup'): if os.getuid() != 0: # We're not root so, like, whatever dude return # Get the uid/gid from the name running_uid = pwd.getpwnam(uid_name).pw_uid running_gid = grp.getgrnam(gid_name).gr_gid # Remove group privileges os.setgroups([]) # Try setting the new uid/gid os.setgid(running_gid) os.setuid(running_uid) # Ensure a very conservative umask old_umask = os.umask(077)
def drop_privileges(uid_name='nobody', gid_name='nobody'): import os, pwd, grp if os.getuid() != 0: # We're not root so, like, whatever dude return # Get the uid/gid from the name running_uid = pwd.getpwnam(uid_name).pw_uid running_gid = grp.getgrnam(gid_name).gr_gid # Remove group privileges os.setgroups([]) # Try setting the new uid/gid os.setgid(running_gid) os.setuid(running_uid) # Ensure a very conservative umask old_umask = os.umask(0o77)
def drop_privileges(uid_name="nobody", gid_name="nogroup"): if os.getuid() != 0: # Already not root, take no action return # Get the uid/gid from the name running_uid = pwd.getpwnam(uid_name).pw_uid running_gid = grp.getgrnam(gid_name).gr_gid # Remove group privileges os.setgroups([]) # Try setting the new uid/gid os.setgid(running_gid) os.setuid(running_uid) # Ensure a very conservative umask old_umask = os.umask(077)
def drop_privileges_Arch(uid_name="nobody", gid_name="nobody"): if os.getuid() != 0: # Already not root, take no action return # Get the uid/gid from the name running_uid = pwd.getpwnam(uid_name).pw_uid running_gid = grp.getgrnam(gid_name).gr_gid # Remove group privileges os.setgroups([]) # Try setting the new uid/gid os.setgid(running_gid) os.setuid(running_uid) # Ensure a very conservative umask old_umask = os.umask(077)
def set_user(username): if username is None: return import pwd import grp try: pwrec = pwd.getpwnam(username) except KeyError: logging.error('user not found: %s' % username) raise user = pwrec[0] uid = pwrec[2] gid = pwrec[3] cur_uid = os.getuid() if uid == cur_uid: return if cur_uid != 0: logging.error('can not set user as nonroot user') # will raise later # inspired by supervisor if hasattr(os, 'setgroups'): groups = [grprec[2] for grprec in grp.getgrall() if user in grprec[3]] groups.insert(0, gid) os.setgroups(groups) os.setgid(gid) os.setuid(uid)
def _runAsUser(self, f, *args, **kw): euid = os.geteuid() egid = os.getegid() groups = os.getgroups() uid, gid = self.getUserGroupId() os.setegid(0) os.seteuid(0) os.setgroups(self.getOtherGroups()) os.setegid(gid) os.seteuid(uid) try: f = iter(f) except TypeError: f = [(f, args, kw)] try: for i in f: func = i[0] args = len(i)>1 and i[1] or () kw = len(i)>2 and i[2] or {} r = func(*args, **kw) finally: os.setegid(0) os.seteuid(0) os.setgroups(groups) os.setegid(egid) os.seteuid(euid) return r
def demote(self): # demote root user to any specified user or group try: if os.getuid() == 0: # drop supplementary groups os.setgroups([]) if self.group: try: os.setgid(self.the_grp.gr_gid) except Exception, ex: logging.critical("failed to set group to \"%s\" [%s]" % (self.group, str(ex))) sys.exit(1) if self.user: try: the_pwd = pwd.getpwnam(self.user) os.setuid(self.the_pwd.pw_uid) except Exception, ex: logging.critical("failed to set user to \"%s\" [%s]" % (self.user, str(ex))) sys.exit(1) else: if self.user or self.group: logging.critical('not privileged ~~ cannot change to user [%s] / group [%s]' % (self.user, self.group)) sys.exit(1) except Exception, ex: logging.critical("daemon.demote() caught exception [%s]" % str(ex)) sys.exit(1)
def _drop_priv(self): if os.getuid() != 0: return groups = list(set([ g.gr_gid for g in grp.getgrall() if self.pw.pw_name in g.gr_mem ] + [ self.pw.pw_gid])) os.setgroups(groups) os.setresgid(self.pw.pw_gid, self.pw.pw_gid, self.pw.pw_gid) os.setresuid(self.pw.pw_uid, self.pw.pw_uid, self.pw.pw_uid)
def _set_permission(self): pw = getpwnam(self.username) uid = pw.pw_uid gid = pw.pw_gid os.setgroups([gid]) os.setgid(gid) os.setuid(uid)
def daemon(user, group, path='/', pidfile='/tmp/%s.pid' % __default_servicename__, other_groups=()): ''' Daemonizes current application. ''' # Get uid and gid from user and group names uid = int(pwd.getpwnam(user)[2]) gid = int(grp.getgrnam(group)[2]) # Get ID of other groups other_groups_id = [] for name in other_groups: try: other_groups_id.append(int(grp.getgrnam(name)[2]) ) except: pass # First fork pid = gevent.fork() if not pid == 0: os._exit(0) # Creates a session and sets the process group ID os.setsid() # Second fork pid = gevent.fork() if not pid == 0: os._exit(0) # Change directoty os.chdir(path) # Set umask os.umask(0) # Write pidfile open(pidfile, 'w').write(str(os.getpid())) # Set group and groups os.setgid(gid) if other_groups_id: os.setgroups(other_groups_id) # Set user os.setuid(uid) # Redirect stdout/stderr to /dev/null sys.stdout = sys.stderr = open(os.devnull, 'a+') gevent.reinit()
def impersonation(user=None, group=None, workdir=None): def impersonate(): """Change user, group and workdir""" if group is not None: os.setgroups([]) os.setgid(grp.getgrnam(group).gr_gid) if user is not None: os.setuid(pwd.getpwnam(user).pw_uid) if workdir is not None: os.chdir(workdir) return impersonate
def deescalate_sudo(): uid = os.environ.get('SUDO_UID') gid = os.environ.get('SUDO_GID') if uid and gid: uid = int(uid) gid = int(gid) # username = pwd.getpwuid(uid).pw_name # groups = [g.gr_gid for g in grp.getgrall() if username in g.gr_mem] os.setgroups([]) # for now loose supplementary groups os.setregid(int(gid), int(gid)) os.setreuid(int(uid), int(uid))
def dropPrivileges(uname, gname): if os.getuid() != 0: if uname and uname != pwd.getpwnam(uname).pw_name or \ gname and gname != grp.getgrnam(gname).gr_name: raise error.SnmpsimError('Process is running under different UID/GID') else: return else: if not uname or not gname: raise error.SnmpsimError('Must drop priveleges to a non-priveleged user&group') try: runningUid = pwd.getpwnam(uname).pw_uid runningGid = grp.getgrnam(gname).gr_gid except Exception: raise error.SnmpsimError('getpwnam()/getgrnam() failed for %s/%s: %s' % (uname, gname, sys.exc_info()[1])) try: os.setgroups([]) except Exception: raise error.SnmpsimError('setgroups() failed: %s' % sys.exc_info()[1]) try: os.setgid(runningGid) os.setuid(runningUid) except Exception: raise error.SnmpsimError('setgid()/setuid() failed for %s/%s: %s' % (runningGid, runningUid, sys.exc_info()[1])) os.umask(63) # 0077
def _runAsUser(self, f, *args, **kw): euid = os.geteuid() egid = os.getegid() groups = os.getgroups() uid, gid = self.getUserGroupId() os.setegid(0) os.seteuid(0) os.setgroups(self.getOtherGroups()) os.setegid(gid) os.seteuid(uid) try: f = iter(f) except TypeError: f = [(f, args, kw)] try: for i in f: func = i[0] args = len(i) > 1 and i[1] or () kw = len(i) > 2 and i[2] or {} r = func(*args, **kw) finally: os.setegid(0) os.seteuid(0) os.setgroups(groups) os.setegid(egid) os.seteuid(euid) return r
def drop_privileges(uid_name='nobody', gid_name='nogroup'): if os.getuid() != 0: # We're not root so, like, whatever dude return import pwd, grp # Get the uid/gid from the name running_uid = pwd.getpwnam(uid_name).pw_uid running_gid = grp.getgrnam(gid_name).gr_gid # Remove group privileges os.setgroups([]) # Try setting the new uid/gid os.setgid(running_gid) os.setuid(running_uid)
def _set_permission(self): pw = getpwnam(self.username) uid = pw.pw_uid gid = pw.pw_gid os.setgroups([gid]) os.setgid(gid) os.setuid(uid) resource.setrlimit(resource.RLIMIT_CORE, (0, 0)) # resource.setrlimit(resource.RLIMIT_NPROC, (20, 40))
def drop_privileges(): """Drop privileges to 'nobody:nogroup'.""" running_uid = pwd.getpwnam('nobody').pw_uid running_gid = grp.getgrnam('nogroup').gr_gid os.setgroups([]) os.setgid(running_gid) os.setuid(running_uid)
def change_users_and_groups(mamaji_data): current_users = mamaji_data['current_users'] current_groups = mamaji_data['current_groups'] pending_users = mamaji_data['pending_users'] pending_groups = mamaji_data['pending_groups'] groups = mamaji_data['supplementary_groups'] if groups: os.setgroups(groups) group_types = [k for k in ['rgid', 'egid', 'sgid'] if pending_groups[k] is not None] group_types_len = len(group_types) if group_types_len == 3: setresgid(pending_groups['rgid'], pending_groups['egid'], pending_groups['sgid']) elif group_types_len == 2: if 'rgid' in group_types and 'egid' in group_types: os.setregid(pending_groups['rgid'], pending_groups['egid']) elif group_types_len == 1: if 'egid' in group_types: os.setegid(pending_groups['egid']) user_types = [k for k in ['ruid', 'euid', 'suid'] if pending_users[k] is not None] user_types_len = len(user_types) if user_types_len == 3: setresuid(pending_users['ruid'], pending_users['euid'], pending_users['suid']) elif user_types_len == 2: if 'ruid' in user_types and 'euid' in user_types: os.setreuid(pending_users['ruid'], pending_users['euid']) elif user_types_len == 1: if 'euid' in user_types: os.seteuid(pending_users['euid']) if pending_groups['gid'] is not None: os.setgid(pending_groups['gid']) if pending_users['uid'] is not None: os.setuid(pending_users['uid'])
def daemon_script(script, user, group, path='/', pidfile=None, script_args=(), other_groups=(), python_bin=None): ''' Daemonize a python script. ''' # Autocreate path for pidfile (based on script arg) if not set if not pidfile: pidfile = '/tmp/' + os.path.splitext(os.path.basename(script))[0] + '.pid' # Get full/real path to script real_script = os.path.realpath(script) # Get uid and gid from user and group names uid = int(pwd.getpwnam(user)[2]) gid = int(grp.getgrnam(group)[2]) # Get ID of other groups other_groups_id = [] for name in other_groups: try: other_groups_id.append(int(grp.getgrnam(name)[2]) ) except: pass # First fork pid = os.fork() if not pid == 0: os._exit(0) # Creates a session and sets the process group ID os.setsid() # Second fork pid = os.fork() if not pid == 0: os._exit(0) # Change directoty os.chdir(path) # Set umask os.umask(0) # Set group and groups os.setgid(gid) if other_groups_id: os.setgroups(other_groups_id) # Set user os.setuid(uid) # Set python binary if not python_bin: cmd = ["/usr/bin/env", "python"] else: cmd = [python_bin] cmd.append(real_script) # Add script_args for arg in script_args: cmd.append(arg) # Run script pid = Popen(cmd).pid # Write pidfile open(pidfile, 'w').write(str(pid)) # Redirect stdout/stderr to /dev/null sys.stdout = sys.stderr = open(os.devnull, 'a+') # Wait pid end os.waitpid(pid, 0)
def start(self): # uid/gid def current_ids(): """Return the current (uid, gid) if available.""" name, group = None, None if pwd: name = pwd.getpwuid(os.getuid())[0] if grp: group = grp.getgrgid(os.getgid())[0] return name, group if self.finalized: if not (self.uid is None and self.gid is None): self.bus.log('Already running as uid: %r gid: %r' % current_ids()) else: if self.uid is None and self.gid is None: if pwd or grp: self.bus.log('uid/gid not set', level=30) else: self.bus.log('Started as uid: %r gid: %r' % current_ids()) if self.gid is not None: os.setgid(self.gid) os.setgroups([]) if self.uid is not None: os.setuid(self.uid) self.bus.log('Running as uid: %r gid: %r' % current_ids()) # umask if self.finalized: if self.umask is not None: self.bus.log('umask already set to: %03o' % self.umask) else: if self.umask is None: self.bus.log('umask not set', level=30) else: old_umask = os.umask(self.umask) self.bus.log('umask old: %03o, new: %03o' % (old_umask, self.umask)) self.finalized = True # This is slightly higher than the priority for server.start # in order to facilitate the most common use: starting on a low # port (which requires root) and then dropping to another user.
def chugid(runas): ''' Change the current process to belong to the imputed user (and the groups he belongs to) ''' uinfo = pwd.getpwnam(runas) supgroups = [] supgroups_seen = set() # The line below used to exclude the current user's primary gid. # However, when root belongs to more than one group # this causes root's primary group of '0' to be dropped from # his grouplist. On FreeBSD, at least, this makes some # command executions fail with 'access denied'. # # The Python documentation says that os.setgroups sets only # the supplemental groups for a running process. On FreeBSD # this does not appear to be strictly true. group_list = get_group_dict(runas, include_default=True) if sys.platform == 'darwin': group_list = dict((k, v) for k, v in six.iteritems(group_list) if not k.startswith('_')) for group_name in group_list: gid = group_list[group_name] if (gid not in supgroups_seen and not supgroups_seen.add(gid)): supgroups.append(gid) if os.getgid() != uinfo.pw_gid: try: os.setgid(uinfo.pw_gid) except OSError as err: raise CommandExecutionError( 'Failed to change from gid {0} to {1}. Error: {2}'.format( os.getgid(), uinfo.pw_gid, err ) ) # Set supplemental groups if sorted(os.getgroups()) != sorted(supgroups): try: os.setgroups(supgroups) except OSError as err: raise CommandExecutionError( 'Failed to set supplemental groups to {0}. Error: {1}'.format( supgroups, err ) ) if os.getuid() != uinfo.pw_uid: try: os.setuid(uinfo.pw_uid) except OSError as err: raise CommandExecutionError( 'Failed to change from uid {0} to {1}. Error: {2}'.format( os.getuid(), uinfo.pw_uid, err ) )
def switchuser(username): """ Switch user the process is running as. This method will only work if is are running as root. Arguments: ``username'' is the username of the user we want to run as. Returns/raises: If switch is a success, returns True. If user is unknown and we're still running as root, raises UserNotFoundError. If failing to switch, raises SwitchUserError. """ # Get UID/GID we're running as olduid = os.getuid() oldgid = os.getgid() try: # Try to get information about the given username _name, _passwd, uid, gid, _gecos, _dir, _shell = pwd.getpwnam(username) except KeyError: raise UserNotFoundError(username) else: if olduid != uid: try: # Set primary group os.setgid(gid) # Set non-primary groups gids = [] for (_name, _passwd, gid, members) in grp.getgrall(): if username in members: gids.append(gid) if len(gids) > 0: os.setgroups(gids) # Set user id os.setuid(uid) except OSError: # Failed changing uid/gid _logger.debug("Failed chaning uid/gid from %d/%d to %d/%d.", olduid, oldgid, uid, gid) raise SwitchUserError(olduid, oldgid, uid, gid) else: # Switch successful _logger.debug("uid/gid changed from %d/%d to %d/%d.", olduid, oldgid, uid, gid) return True else: # Already running as the given user _logger.debug("Running as uid/gid %d/%d.", olduid, oldgid) return True
