Beefy Boxes and Bandwidth Generously Provided by pair Networks
There's more than one way to do things

RFC: Name that Module

by pileofrogs (Priest)
on Apr 26, 2008 at 05:16 UTC ( #683029=perlmeditation: print w/replies, xml ) Need Help??

I've written a module that I've given the temporary name Process::DropPrivs. It's for dropping root privileges and making sure they really did get dropped. This is useful in a script that might start up as root, open up a log file in /var/log, switch to the 'nobody' user id, and then do something as nobody. This is one of those tasks that looks simple but is easy to get wrong. The module has one function, which I currenly call drop_privs(), and it changes the current process's uid, euid, gid, egid & supplimental gids. For example, 'root' might be a member of the 'root','wheel','tape' and 'bin' groups. When you switch to the 'nobody' user you want to make sure you didn't stay a member of the 'wheel' group.

So, a module that does that is what I'm looking for a name for.

Other ideas I've had are:




Replies are listed 'Best First'.
Re: RFC: Name that Module
by Arunbear (Parson) on Apr 26, 2008 at 10:14 UTC

      Actually, no, this should work in any system with multiple users. The only thing I do is set $<,$>,$( and $), and check those values. So this might work anywhere $<, $>, $( and $) are meaningful.

      So, I guess a better way to say that is, I intend for this module to be portable, so if it doesn't work on any OS that has multiple users, then that's a bug on my part.

        So this might work anywhere $<, $>, $( and $) are meaningful. Which means, Unix.

        I don't have access to VMS or anything like that, but those variables definitely do not mean anything at all under Windows. And whether there's any chance to implement something similar to what you propose, I really don't know. And I doubt it.

Re: RFC: Name that Module
by salva (Abbot) on Apr 26, 2008 at 10:33 UTC
    I would use something inside the Proc namespace... probably Proc::SwitchUser or Proc::SetUser.

    BTW, It would also be nice to have functions like system_as_user, fork_as_user, open_pipe_as_user, open2_as_user and open3_as_user available from your module... I don't know if these are the best names, but you get the idea!

      My only hesitation about using 'Proc' as the namespace is the association with the /proc filesystem on linux (and others).

      What does everyone think? Does 'Proc' mean 'process' or '/proc'?

      And reqarding system_as_user, fork_as_user, open_pipe_as_user, open2_as_user and open3_as_user etc... That is where this is eventually heading. The module containing fork_as_user and co would use Proc::SetUser or whatever the name turns out to be.

        Proc namespace is for process related modules.

        Take a look at the rest of the modules on the namespace and you will see that almost no one is related to the /proc file system.

Re: RFC: Name that Module
by ambrus (Abbot) on Apr 26, 2008 at 15:42 UTC

    Proc::Initgroups because the corresponding C functions are initgroups and setuid?

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: perlmeditation [id://683029]
Approved by McDarren
Front-paged by Old_Gray_Bear
and all is quiet...

How do I use this? | Other CB clients
Other Users?
Others having an uproarious good time at the Monastery: (8)
As of 2017-10-19 08:30 GMT
Find Nodes?
    Voting Booth?
    My fridge is mostly full of:

    Results (252 votes). Check out past polls.