python 脚本上的 Setuid 位:Linux 与 Solaris
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/8314012/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Setuid bit on python script : Linux vs Solaris
提问by Eric
I am running this small python script on both linux and Solaris as a not privileged user:
我在 linux 和 Solaris 上都以非特权用户身份运行这个小的 python 脚本:
#!/usr/bin/python
import os
print 'uid,euid =',os.getuid(),os.geteuid()
Before running, the setuid bit is set on the script (not on python interpreter) :
在运行之前,setuid 位在脚本上设置(不是在 python 解释器上):
chown root:myusergrp getuid.py
chmod 4750 getuid.py
On Solaris, the effective uid is set because of the setuid bit :
在 Solaris 上,有效 uid 由于 setuid 位而设置:
uid,euid = 10002 0
But not on Linux :
但不是在 Linux 上:
uid,euid = 10002 10002
Note the python version is 2.6 for both Solaris and Linux
注意 Solaris 和 Linux 的 python 版本都是 2.6
Is it possibe to have Python Linux working as Python Solaris ?
是否可以让 Python Linux 作为 Python Solaris 工作?
采纳答案by David K. Hess
Most Unix distributions normally don't allow you to use setuid on a file that uses a #! interpreter. Solaris happens to be one that allows it due to its use of a more secure implementation than most other distributions.
大多数 Unix 发行版通常不允许您在使用 #! 口译员。Solaris 恰好是允许它的,因为它使用了比大多数其他发行版更安全的实现。
See this FAQ entry for more background about why the mechanism is so dangerous: How can I get setuid shell scripts to work?
有关该机制为何如此危险的更多背景信息,请参阅此 FAQ 条目:如何让 setuid shell 脚本工作?
See this link for more discussion and how to compile a setuid executable that will run your script: setuid on shell scripts
有关更多讨论以及如何编译将运行您的脚本的 setuid 可执行文件,请参阅此链接:shell 脚本上的 setuid
The pertinent part:
相关部分:
int main()
{
setuid( 0 );
system( "/path/to/script.sh" );
return 0;
}
回答by zigg
I just put two and two together today and came up with an alternative solution: cython --embed.
我今天只是把两个和两个放在一起,想出了一个替代解决方案:cython --embed.
Follow the examples at the link above and you'll get binary executables from your Python that you'll be able to chownand chmod u+s, completing the circle without a wrapper program.
按照上面链接中的示例操作,您将从 Python 中获得二进制可执行文件,您将能够执行此操作,chown并chmod u+s在没有包装程序的情况下完成循环。
Of course, beware the risks (of this or any other setuiduse)—bugs in your script can result in elevated privileges on the system.
当然,请注意风险(此setuid用途或任何其他用途的风险)——脚本中的错误可能会导致系统权限提升。
回答by John Rigler
You could potentially use sudo to achieve what you want. It runs stuff as different users:
您可以潜在地使用 sudo 来实现您想要的。它以不同的用户身份运行:
sudo -u otheruser command
Permissions are set by root using visudo. The setuid/setguid stuff doesn't appear to apply to scripts or the shell in linux, only compiled code.
权限由 root 使用 visudo 设置。setuid/setguid 的东西似乎不适用于 linux 中的脚本或 shell,仅适用于编译后的代码。
