posix setgid()不能降低权限
posix setgid()不能降低权限
提问于 2021-01-18 07:27:14
我正在尝试创建一个函数来降低sudo权限。
我是一个包dcli的维护者,这是一个旨在取代bash的dart包。
我的目标之一是允许用户将sudo权限降级为原始用户对代码某些部分的权限:
如果我们有一个名为touch_me.dart的脚本
用户将运行:sudo touch_me
touch_me.dart脚本将为:
void main() {
test('isPriviliged', () {
try {
print('isPriviliged: ${Shell.current.isPrivilegedUser}');
print('uid: ${getuid()}');
print('gid: ${getgid()}');
print('euid: ${geteuid()}');
print('euid: ${geteuid()}');
print('user: ${getlogin()}');
print('SUDO_UID: ${env['SUDO_UID']}');
print('SUDO_USER: ${env['SUDO_USER']}');
print('SUDO_GUID: ${env['SUDO_GID']}');
print('de-escalating to: uid: $originalUID, gid: $originalGID');
print('pre-descalation euid: ${geteuid()}');
print('pre-descalation user egid: ${getegid()}');
releasePrivileges();
print('post-descalation euid: ${geteuid()}');
print('post-descalation user egid: ${getegid()}');
touch('test.txt', create: true);
'ls -la test.txt'.run;
withPrivileges(() {
print('with privileges euid: ${geteuid()}');
print('with privileges egid: ${getegid()}');
touch('test2.txt', create: true);
'ls -la test2.txt'.run;
});
} on PosixException catch (e, st) {
print(e);
print(st);
}
});
}
bool get isPrivilegedUser {
return _whoami() == 'root';
}
/// revert uid and gid to original user's id's
void releasePrivileges() {
if (Shell.current.isPrivilegedUser) {
var sUID = env['SUDO_UID'];
var gUID = env['SUDO_GID'];
// convert id's to integers.
var originalUID = sUID != null ? int.tryParse(sUID) ?? 0 : 0;
var originalGID = gUID != null ? int.tryParse(gUID) ?? 0 : 0;
setegid(originalGID);
seteuid(originalUID);
}
}
/// Run [privilegedCallback] with root UID and gid
void withPrivileges(RunPrivileged privilegedCallback) {
var privileged = Shell.current.isPrivilegedUser;
if (!privileged) {
setegid(0);
seteuid(0);
}
/// run the callback method with escalated privileges.
privilegedCallback();
/// If the code was originally running privileged then
/// we leave it as it was.
if (!privileged) {
releasePrivileges();
}
}
typedef RunPrivileged = void Function();除了对gid的更改之外,其他所有内容都可以正常工作。即使releasePrivileges调用setegid( SUDO_GID )并且SUDO_GID为1000,创建的文件的gid也为0。
isPriviliged: true
uid: 0
gid: 0
euid: 0
euid: 0
user: bsutton
SUDO_UID: 1000
SUDO_USER: bsutton
SUDO_GUID: 1000
de-escalating to: uid: 1000, gid: 1000
pre-descalation euid: 0
pre-descalation user egid: 0
post-descalation euid: 1000
post-descalation user egid: 1000
-rw-r--r-- 1 bsutton root 0 Jan 18 10:23 test.txt
with privileges euid: 0
with privileges egid: 0
-rw-r--r-- 1 root root 0 Jan 18 10:23 test2.txt编辑:
以下是演示该问题的最简单示例:
void main() {
var sUID = env['SUDO_UID'];
var gUID = env['SUDO_GID'];
// convert id's to integers.
var originalUID = sUID != null ? int.tryParse(sUID) ?? 0 : 0;
var originalGID = gUID != null ? int.tryParse(gUID) ?? 0 : 0;
setegid(originalGID);
seteuid(originalUID);
touch('test.txt', create: true);
'ls -la test.txt'.run;
}回答 1
Stack Overflow用户
发布于 2021-01-18 07:33:37
问题出在我的测试环境:<
在早期的测试中,我意外地创建了gid = 0的test.txt。
如果我重新运行测试,在开始之前删除test.txt,代码将按预期的:<运行
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/65767036
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号