![]() Setting $EUID will result in an exception being thrown if it does not succeed. However reading $EUID always results in the effective UID of the process being read. This is the effective UID of the process. If Proc::UID is called with the :vars parameter, the following variables will be made available: $EUID It is equivilent to setting the effective uid/gid to the saved uid/gid. These functions will allow you to restore a privilege previously dropped using drop_uid_temp or drop_gid_temp. If privileges cannot be dropped, then the function will throw an exception. They have the effect of setting the effective uid to the supplied argument, and the saved uid to the previous effective uid. These functions will allow privileges to be dropped in a temporary fashion. drop_uid_temp($uid) and drop_gid_temp($gid) If drop_uid_perm or drop_gid_perm cannot drop privileges, then it will throw an exception. It guarantees that the real, effective and saved uid/gid will be set to the argument supplied. The drop_uid_perm and drop_gid_perm functions allow a program to permanently drop its privileges to the given $uid or $gid. drop_uid_perm($uid) and drop_gid_perm($gid) The following interface is the preferred method to manipulate a the UID/GID of a process. These logical operations are based upon the paper "Setuid demystified", by Hao Chen, David Wagner, and Drew Dean. Proc::UID also provides a set of functions with very clear names that allow logical operations (temporarily drop privileges, permanently drop privileges, and regain privileges) to be performed. To best achieve this goal, Proc::UID will always check the success of any operation requested, and will generate an exception in the case of failure. It would be a very Bad Thing if a program were to continue operating believing it had dropped privileges when it had not. Mistakes should be difficult to make.Īny code that works with elevated privileges needs to be particularly careful with its actions. The goal of Proc::UID is to provide an interface that is straightforward and easy to understand, and that operates in the same fashion regardless of operating system. The traditional POSIX setuid function is notorious for being difficult to understand. Proc::UID is designed with the following goals in mind: The interface should be easy to understand. Proc::UID provides both a variable and function interfaces to underlying UIDs. Perl may sometimes cache the values of $, $( and $), which means they can be wrong after being changed with low-level system calls. ![]() Proc::UID is also very pedantic about making sure that operations succeeded, and checking the value which it returns for a UID/GID really is the one that's being used. It also provides a way to permanently drop privileges to that of a given user, a process which $ = $uid does not guarantee, and the exact syntax of which may vary from between operating systems. This module provides a consistent and logical interface to real, effective, and saved UIDs and GIDs. However most modern Unix systems also have a concept of saved UIDs. Perl only has concepts of effective and real user-ids (UIDs) and group-ids (GIDs), accessible via the special variables $, $( and $). This module is provided "as is", without warranty of any kind, either express or implied, including, but limited to, the implied warranties of merchantability and fitness for a particular purpose. If your code is running with additional privileges, it is recommended that you always carefully test and audit your code, including this module if you use it. Print "Saved-UIDs are cached\n" if suid_is_cached() WARNING Print "Permanently dropping privs to $new_gid and $new_uid\n" ĭrop_gid_perm($new_gid) # Throws an exception on failure.ĭrop_uid_perm($new_uid) # Throws an exception on failure. Print "My saved-uid is $SUID, effective-uid is $EUID ", Proc::UID - Manipulate a variety of UID and GID settings.
0 Comments
Leave a Reply. |