def osPrintInfo():
print os.ctermid()
print os.getegid()
print os.getgroups()
print os.getlogin()
print os.getpid()
print os.getresuid()
# os.setegid(1001)
# os.setgid(1000)
print os.getpid()
def su(uid=None,gid=None,sub=False):
#set effective or subprocess user/group if valid and not root,
#if gid not provided, will use effective user's group
#if uid is a string, get the uid
#if sub=True, return a preexeec function that will set the uid/gid
if type(uid) is str: uid=pwd.getpwnam(uid).pw_uid
#if uid valid
if uid and uid>0:
if type(gid) is str: gid=grp.getgrnam(gid).gr_gid
#if no valid group specified, use user's group
if gid and gid>0: pass
else: gid=pwd.getpwuid(uid).pw_gid
#reset effective uid (likely back to root) so we can change it again
if sub:
def preexec_fn():
os.seteuid(os.getuid())
os.setgid(gid)
os.setuid(uid)
os.setsid() #make session leader so kill works
return preexec_fn
else:
os.seteuid(os.getuid())
os.setegid(gid)
os.seteuid(uid)
return os.getresuid(),os.getresgid()
def initialize(config, LOG):
""" Store initial values for UID/GID, and setup the user cache."""
(_, euid, _) = os.getresuid()
(_, egid, _) = os.getresgid()
# store effective uid/gid, we'll switch back to these after every action
config['tsi.effective_uid'] = euid
config['tsi.effective_gid'] = egid
switch_uid = config.get("tsi.switch_uid", True)
if switch_uid or euid == 0:
LOG.info(
"Running privileged, will perform all operations as the requested user."
)
config['tsi.switch_uid'] = True
else:
LOG.info("Running unprivileged.")
config['tsi.switch_uid'] = False
if config['tsi.enforce_os_gids']:
LOG.info(
"Groups of the user will be limited to those available in the OS.")
else:
LOG.info("UNICORE will be free to assign any groups to the user "
"regardless of the OS settings.")
cache_ttl = config.get('tsi.userCacheTtl', 600)
use_id = config['tsi.use_id_to_resolve_gids']
if use_id:
LOG.info("Groups will be resolved via 'id -G <username>")
user_cache = UserCache.UserCache(cache_ttl, LOG, use_id)
config['tsi.user_cache'] = user_cache
def _make_passphrase(length=None, save=False, file=None):
"""Create a passphrase and write it to a file that only the user can read.
This is not very secure, and should not be relied upon for actual key
passphrases.
:param int length: The length in bytes of the string to generate.
:param file file: The file to save the generated passphrase in. If not
given, defaults to 'passphrase-<the real user id>-<seconds since
epoch>' in the top-level directory.
"""
if not length:
length = 40
passphrase = _make_random_string(length)
if save:
ruid, euid, suid = os.getresuid()
gid = os.getgid()
now = mktime(localtime())
if not file:
filename = str('passphrase-%s-%s' % uid, now)
file = os.path.join(_repo, filename)
with open(file, 'a') as fh:
fh.write(passphrase)
fh.flush()
fh.close()
os.chmod(file, stat.S_IRUSR | stat.S_IWUSR)
os.chown(file, ruid, gid)
log.warn("Generated passphrase saved to %s" % file)
return passphrase
def SwitchRoot():
(ruid, euid, suid) = os.getresuid()
if suid == 0:
os.setuid(0)
os.setgid(0)
else:
raise Exception("Cannot switch on root user")
def get_cachedir(dir_name='fpn_cache', user_dirs=False):
"""
Get temp cachedir according to OS (create it if needed)
* override the dir_name arg for non-cache data
"""
import os
import pwd
import tempfile
from appdirs import AppDirs
temp_dir = tempfile.gettempdir()
dirs = AppDirs('fpnd', 'FreePN')
if user_dirs or NODE_SETTINGS['runas_user']:
cache_dir = dirs.user_cache_dir
else:
cache_dir = '/var/lib/fpnd'
sys_usr = pwd.getpwuid(os.geteuid()).pw_name
sys_uids = os.getresuid()
if not sys_usr == 'fpnd' and 0 not in sys_uids:
cache_dir = temp_dir
# logger.debug('UIDs for cachedir: {}'.format(sys_uids))
# logger.debug('effective user for cachedir: {}'.format(sys_usr))
if cache_dir == temp_dir:
logger.debug('Falling back to temp dir: {}'.format(temp_dir))
return os.path.join(cache_dir, dir_name)
def about_user():
"""Show information about the user"""
if parameters["User"]:
print("[User]")
user = getpass.getuser()
print("getpass.getuser()={}".format(user))
print("os.getlogin()={}".format(os.getlogin()))
if sys_type() == "Unix":
print('pwd.getpwnam("{}")={}'.format(user, pwd.getpwnam(user)))
print("os.getgroups()={}".format(os.getgroups()))
for group_id in os.getgroups():
print("grp.getgrgid({})={}".format(group_id,
grp.getgrgid(group_id)))
elif sys_type() == "Windows":
if os.environ["USERNAME"]:
print('os.environ["USERNAME"]={}'.format(
os.environ["USERNAME"]))
if os.environ["USERPROFILE"]:
print('os.environ["USERPROFILE"]={}'.format(
os.environ["USERPROFILE"]))
if os.environ["USERDOMAIN"]:
print('os.environ["USERDOMAIN"]={}'.format(
os.environ["USERDOMAIN"]))
if os.environ["USERDOMAIN_ROAMINGPROFILE"]:
print('os.environ["USERDOMAIN_ROAMINGPROFILE"]={}'.format(
os.environ["USERDOMAIN_ROAMINGPROFILE"]))
if os.environ["HOME"]:
print('os.environ["HOME"]={}'.format(os.environ["HOME"]))
if os.environ["HOMEDRIVE"]:
print('os.environ["HOMEDRIVE"]={}'.format(
os.environ["HOMEDRIVE"]))
if os.environ["HOMEPATH"]:
print('os.environ["HOMEPATH"]={}'.format(
os.environ["HOMEPATH"]))
print()
print("[User/Process]")
if sys_type() == "Unix":
print("os.getuid()={}".format(os.getuid()))
print("os.getgid()={}".format(os.getgid()))
print("os.geteuid()={}".format(os.geteuid()))
print("os.getegid()={}".format(os.getegid()))
print("os.getresuid()={}".format(os.getresuid()))
print("os.getresgid()={}".format(os.getresgid()))
print()
print("[Process]")
pid = os.getpid()
print("os.getpid()={}".format(pid))
print("os.getppid()={}".format(os.getppid()))
if sys_type() == "Unix":
print("os.getpgid({})={}".format(pid, os.getpgid(pid)))
print("os.getpgrp()={}".format(os.getpgrp()))
print("os.getpriority(os.PRIO_PROCESS, 0)={}".format(
os.getpriority(os.PRIO_PROCESS, 0)))
print("os.getpriority(os.PRIO_PGRP, 0)={}".format(
os.getpriority(os.PRIO_PGRP, 0)))
print("os.getpriority(os.PRIO_USER, 0)={}".format(
os.getpriority(os.PRIO_USER, 0)))
print()
def ottieniValori():
# https://docs.python.org/3.3/library/os.html
userLogin = os.getlogin()
userLogin = pwd.getpwuid(os.getuid())[0]
uid = os.getuid() # current process’s user id
ruid, euid, suid = os.getresuid() # real, effective, and saved user ids
rgid, egid, sgid = os.getresgid() # real, effective, and saved group ids.
def run(self):
"""Run Forest, RUN!"""
exitcode = 0
utils.ensure_directory(os.path.dirname(conf.pidfile),
conf.process_username, conf.process_groupname)
try:
try:
(ruid, euid, suid) = os.getresuid()
(rgid, egid, sgid) = os.getresgid()
except AttributeError, errmsg:
ruid = os.getuid()
rgid = os.getgid()
if ruid == 0:
# Means we can setreuid() / setregid() / setgroups()
if rgid == 0:
# Get group entry details
try:
(group_name, group_password, group_gid,
group_members) = grp.getgrnam(conf.process_groupname)
except KeyError:
print >> sys.stderr, _("Group %s does not exist") % (
conf.process_groupname)
sys.exit(1)
# Set real and effective group if not the same as current.
if not group_gid == rgid:
log.debug(
_("Switching real and effective group id to %d") %
(group_gid),
level=8)
os.setregid(group_gid, group_gid)
if ruid == 0:
# Means we haven't switched yet.
try:
(user_name, user_password, user_uid, user_gid,
user_gecos, user_homedir,
user_shell) = pwd.getpwnam(conf.process_username)
except KeyError:
print >> sys.stderr, _("User %s does not exist") % (
conf.process_username)
sys.exit(1)
# Set real and effective user if not the same as current.
if not user_uid == ruid:
log.debug(
_("Switching real and effective user id to %d") %
(user_uid),
level=8)
os.setreuid(user_uid, user_uid)
def SwitchRoot():
(ruid, euid, suid) = os.getresuid()
if suid == 0:
os.setuid(0)
os.setgid(0)
else:
raise Exception("Cannot switch on root user")
def __init__(self, *args, **kw):
if kw.has_key("name"):
name = kw["name"]
elif len(args) == 1:
name = args[0]
else:
name = "bonnie"
logging.Logger.__init__(self, name)
plaintextformatter = logging.Formatter("%(asctime)s %(name)s %(levelname)s %(message)s")
if not self.fork:
self.console_stdout = logging.StreamHandler(sys.stdout)
self.console_stdout.setFormatter(plaintextformatter)
self.addHandler(self.console_stdout)
if kw.has_key("logfile"):
self.logfile = kw["logfile"]
elif self.logfile is None:
self.logfile = "/var/log/bonnie/bonnie.log"
self.setLevel(self.loglevel)
# Make sure (read: attempt to change) the permissions
try:
(ruid, euid, suid) = os.getresuid()
(rgid, egid, sgid) = os.getresgid()
except AttributeError, errmsg:
ruid = os.getuid()
rgid = os.getgid()
def initialize(config, LOG: Log):
""" Setup the user cache."""
(_x, euid, _y) = os.getresuid()
config['uftpd.effective_uid'] = euid
if euid == 0:
LOG.info(
"Running privileged, will launch sessions as the current user.")
config['uftpd.switch_uid'] = True
else:
LOG.info("Running unprivileged")
config['uftpd.switch_uid'] = False
if config.get('uftpd.enforce_os_gids', True):
LOG.info(
"Groups of the user will be limited to those available for the "
"Xlogin in the operating system.")
else:
LOG.info("UFTPD will be free to assign any groups for the Xlogin "
"regardless of the operating system settings.")
cache_ttl = config.get('uftpd.userCacheTtl', 600)
use_id = config.get('uftpd.use_id_to_resolve_gids', False)
if use_id:
LOG.info("Groups will be resolved via 'id -G <username>'")
user_cache = UserCache.UserCache(cache_ttl, LOG, use_id)
config['uftpd.user_cache'] = user_cache
def __init__(self, *args, **kw):
if kw.has_key('name'):
name = kw['name']
elif len(args) == 1:
name = args[0]
else:
name = 'pykolab'
logging.Logger.__init__(self, name)
plaintextformatter = logging.Formatter("%(asctime)s %(name)s %(levelname)s %(message)s")
if not self.fork:
self.console_stdout = logging.StreamHandler(sys.stdout)
self.console_stdout.setFormatter(plaintextformatter)
self.addHandler(self.console_stdout)
if kw.has_key('logfile'):
self.logfile = kw['logfile']
else:
self.logfile = '/var/log/kolab/pykolab.log'
# Make sure (read: attempt to change) the permissions
try:
(ruid, euid, suid) = os.getresuid()
(rgid, egid, sgid) = os.getresgid()
except AttributeError, errmsg:
ruid = os.getuid()
rgid = os.getgid()
def _make_passphrase(length=None, save=False, file=None):
"""Create a passphrase and write it to a file that only the user can read.
This is not very secure, and should not be relied upon for actual key
passphrases.
:param int length: The length in bytes of the string to generate.
:param file file: The file to save the generated passphrase in. If not
given, defaults to 'passphrase-<the real user id>-<seconds since
epoch>' in the top-level directory.
"""
if not length:
length = 40
passphrase = _make_random_string(length)
if save:
ruid, euid, suid = os.getresuid()
gid = os.getgid()
now = mktime(gmtime())
if not file:
filename = str('passphrase-%s-%s' % uid, now)
file = os.path.join(_repo, filename)
with open(file, 'a') as fh:
fh.write(passphrase)
fh.flush()
fh.close()
os.chmod(file, 0600)
os.chown(file, ruid, gid)
log.warn("Generated passphrase saved to %s" % file)
return passphrase
def test_getresuid(self):
def f():
a, b, c = os.getresuid()
return a + b * 37 + c * 1291
res = self.interpret(f, [])
a, b, c = os.getresuid()
assert res == a + b * 37 + c * 1291
def test_getresuid(self):
def f():
a, b, c = os.getresuid()
return a + b * 37 + c * 1291
res = self.interpret(f, [])
a, b, c = os.getresuid()
assert res == a + b * 37 + c * 1291
def printUser(USER):
realUID, eUID, savedUID = os.getresuid() # get current user
if isinstance(USER, int):
user = pwd.getpwuid(USER)
else:
user = pwd.getpwnam(USER) # get RunAS user data
data = """
current realUID : {}
current eUID : {}
current savedUID : {}
pw_name : {}
pw_passwd : {}
pw_gecos : {}
pw_uid : {}
pw_gid : {}
pw_dir : {}
pw_shell : {}
""".format(
realUID,
eUID,
savedUID,
user.pw_name,
user.pw_passwd,
user.pw_gecos,
user.pw_uid,
user.pw_gid,
user.pw_dir,
user.pw_shell,
)
return data
def possible() -> bool:
"""Evaluates if the privileges elevation is possible by doing a
RES{U,G}ID flip over."""
resuid = os.getresuid()
resgid = os.getresgid()
return ((resuid[2], resgid[2]) == (0, 0) and resuid[0] != 0
and resuid[1] != 0 and resgid[0] != 0 and resgid[0] != 0)
def initialize(config, LOG):
""" Store initial values for UID/GID, and setup the user cache."""
(_, euid, _) = os.getresuid()
(_, egid, _) = os.getresgid()
# store effective uid/gid, we'll switch back to these after every action
config['tsi.effective_uid'] = euid
config['tsi.effective_gid'] = egid
if euid == 0:
LOG.info("Running privileged [%s : %s], will execute "
"commands as the Xlogin" % (euid, egid))
config['tsi.switch_uid'] = True
else:
LOG.info("Running unprivileged")
config['tsi.switch_uid'] = False
if config['tsi.enforce_os_gids']:
LOG.info(
"Groups of the user will be limited to those available for the "
"Xlogin in the operating system.")
else:
LOG.info("XNJS will be free to assign any groups for the Xlogin "
"regardless of the operating system settings.")
cache_ttl = config.get('tsi.userCacheTtl', 600)
use_id = config['tsi.use_id_to_resolve_gids']
if use_id:
LOG.info("Groups will be resolved via 'id -G <username>")
user_cache = UserCache.UserCache(cache_ttl, LOG, use_id)
config['tsi.user_cache'] = user_cache
def __exit__(self, exc_type: Optional[Type[BaseException]],
exc_value: Optional[BaseException],
traceback: Optional[TracebackType]) -> None:
os.umask(self.current_mask)
unprivileged_uid = os.getresuid()[2] # retrieve saved-set-UID
unprivileged_gid = os.getresgid()[2] # retrieve saved-set-GID
os.setresuid(unprivileged_uid, unprivileged_uid, 0)
os.setresgid(unprivileged_gid, unprivileged_gid, 0)
def get_bitcoind(self):
for pid in psutil.get_pid_list():
# match process name
if (psutil.Process(pid).name == self.bitcoind_command[0]):
# match process real uid against this scripts ruid
if (os.getresuid()[0] == psutil.Process(pid).uids[0]):
return psutil.Process(pid)
return False
def user(user_name):
db.engine.dispose()
uid = pwd.getpwnam(user_name).pw_uid
os.seteuid(uid)
yield user_name
db.engine.dispose()
ruid, euid, suid = os.getresuid()
os.seteuid(suid)
def get_bitcoind(self):
for pid in psutil.get_pid_list():
# match process name
if (psutil.Process(pid).name == self.bitcoind_command[0]):
# match process real uid against this scripts ruid
if (os.getresuid()[0] == psutil.Process(pid).uids[0]):
return psutil.Process(pid)
return False
def getresuid(space):
""" getresuid() -> (ruid, euid, suid)
Get tuple of the current process's real, effective, and saved user ids.
"""
try:
(ruid, euid, suid) = os.getresuid()
except OSError, e:
raise wrap_oserror(space, e)
def test_uids() -> None:
proc = pypsutil.Process()
if hasattr(os, "getresuid"):
assert proc.uids() == os.getresuid() # pylint: disable=no-member
else:
ruid, euid, _ = proc.uids()
assert ruid == os.getuid()
assert euid == os.geteuid()
def ensure_directory(_dir, _user='******', _group='root'):
if not os.path.isdir(_dir):
os.makedirs(_dir)
try:
try:
(ruid, euid, suid) = os.getresuid()
(rgid, egid, sgid) = os.getresgid()
except AttributeError, errmsg:
ruid = os.getuid()
rgid = os.getgid()
if ruid == 0:
# Means we can setreuid() / setregid() / setgroups()
if rgid == 0:
# Get group entry details
try:
(
group_name,
group_password,
group_gid,
group_members
) = grp.getgrnam(_group)
except KeyError:
print >> sys.stderr, _("Group %s does not exist") % (
_group
)
sys.exit(1)
# Set real and effective group if not the same as current.
if not group_gid == rgid:
os.chown(_dir, -1, group_gid)
if ruid == 0:
# Means we haven't switched yet.
try:
(
user_name,
user_password,
user_uid,
user_gid,
user_gecos,
user_homedir,
user_shell
) = pwd.getpwnam(_user)
except KeyError:
print >> sys.stderr, _("User %s does not exist") % (_user)
sys.exit(1)
# Set real and effective user if not the same as current.
if not user_uid == ruid:
os.chown(_dir, user_uid, -1)
def getresuid(space):
""" getresuid() -> (ruid, euid, suid)
Get tuple of the current process's real, effective, and saved user ids.
"""
try:
(ruid, euid, suid) = os.getresuid()
except OSError, e:
raise wrap_oserror(space, e)
def as_effective_user_from_path(path):
stat = os.stat(path)
os.setegid(stat.st_gid)
os.seteuid(stat.st_uid)
try:
yield
finally:
os.seteuid(os.getresuid()[0])
os.setegid(os.getresgid()[0])
def restore_user_group(self):
try:
(ruid, euid, suid) = os.getresuid()
(rgid, egid, sgid) = os.getresgid()
os.setresuid(suid, suid, suid)
os.setresgid(sgid, sgid, sgid)
except Exception, e:
log.error("Error: %s" % e)
exit(1)
def __init__(self, restore_to_root, saveenv):
self.u = os.getresuid()
self.g = os.getresgid()
self.groups = os.getgroups()
self.to_root = restore_to_root
if saveenv:
self.env = {k: os.getenv(k, None) for k in ("LOGNAME", "USER", "USERNAME", "HOME")}
else:
self.env = {}
def is_superuser():
""" Tests if a user has superuser privileges"""
if sys.version > "2.7":
for uid in os.getresuid():
if uid == 0:
return True
else:
if os.getuid() == 0 or os.getegid() == 0:
return True
return False
def _checked_setresuid(self, ruid, euid, suid):
os.setresuid(ruid, euid, suid)
if os.getresuid() != (ruid, euid, suid):
try:
raise SystemExit('PANIC: setresuid failed')
except SystemExit as e:
# Print stack trace
logger.exception(e)
# Force exit
exit(1)
def dump_process_info():
ruid, euid, suid = os.getresuid()
logging.info('User IDs:')
logging.info('\tReal: %d', ruid)
logging.info('\tEffective: %d', euid)
logging.info('\tSaved: %d', suid)
rgid, egid, sgid = os.getresgid()
logging.info('Group IDs:')
logging.info('\tReal: %d', rgid)
logging.info('\tEffective: %d', egid)
logging.info('\tSaved: %d', sgid)
def test_uids(self):
p = psutil.Process(os.getpid())
real, effective, saved = p.uids
# os.getuid() refers to "real" uid
self.assertEqual(real, os.getuid())
# os.geteuid() refers to "effective" uid
self.assertEqual(effective, os.geteuid())
# no such thing as os.getsuid() ("saved" uid), but starting
# from python 2.7 we have os.getresuid()[2]
if hasattr(os, "getresuid"):
self.assertEqual(saved, os.getresuid()[2])
def test_uids(self):
p = psutil.Process(os.getpid())
real, effective, saved = p.uids
# os.getuid() refers to "real" uid
self.assertEqual(real, os.getuid())
# os.geteuid() refers to "effective" uid
self.assertEqual(effective, os.geteuid())
# no such thing as os.getsuid() ("saved" uid), but starting
# from python 2.7 we have os.getresuid()[2]
if hasattr(os, "getresuid"):
self.assertEqual(saved, os.getresuid()[2])
def as_critic_system_user():
saved_cwd = os.getcwd()
os.chdir(tempfile.gettempdir())
os.setegid(installation.system.gid)
os.seteuid(installation.system.uid)
try:
yield
finally:
os.seteuid(os.getresuid()[0])
os.setegid(os.getresgid()[0])
os.chdir(saved_cwd)
def regain_privileges_save():
"""Recover our real UID/GID after calling drop_privileges_save."""
assert _dropped_privileges is not None and _dropped_privileges > 0
# We need to call os.setresuid and os.setresgid twice to avoid
# permission issues when calling os.setgroups (see LP: #646827).
_, euid, _ = os.getresuid()
_, egid, _ = os.getresgid()
os.setresuid(0, 0, 0)
os.setresgid(0, 0, 0)
os.setgroups([])
os.setresgid(-1, egid, -1)
os.setresuid(-1, euid, -1)
def test_setfsuid_failure() -> None:
bad_uid = max(os.getresuid()) + 1
orig_state = False
if pyprctl.cap_effective.setuid:
pyprctl.cap_effective.setuid = False
orig_state = True
with pytest.raises(PermissionError):
pyprctl.setfsuid(bad_uid)
pyprctl.cap_effective.setuid = orig_state
def get_token(username):
#print("[get_token] UID: ", os.getresuid(), "GID: ", os.getresgid())
if os.getresuid()[0] != 0: # If not root
return None
db = zoodb.cred_setup()
if not db:
return None
cred = db.query(zoodb.Cred).get(username)
if cred:
return cred.token
else:
return None
def check_res_ids():
ruid, euid, suid = os.getresuid()
if not ruid == euid == suid:
raise QuickenError(
f"real uid ({ruid}), effective uid ({euid}), and saved uid ({suid})"
" must be the same")
rgid, egid, sgid = os.getresgid()
if not rgid == egid == sgid:
raise QuickenError(
f"real gid ({rgid}), effective gid ({egid}), and saved gid ({sgid})"
" must be the same")
def drop_privileges(self):
try:
try:
(ruid, euid, suid) = os.getresuid()
(rgid, egid, sgid) = os.getresgid()
except AttributeError, errmsg:
ruid = os.getuid()
rgid = os.getgid()
if ruid == 0:
# Means we can setreuid() / setregid() / setgroups()
if rgid == 0:
# Get group entry details
try:
(
group_name,
group_password,
group_gid,
group_members
) = grp.getgrnam(conf.process_groupname)
except KeyError:
print >> sys.stderr, "Group %s does not exist" % (conf.process_groupname)
sys.exit(1)
# Set real and effective group if not the same as current.
if not group_gid == rgid:
log.debug("Switching real and effective group id to %d" % (group_gid), level=8)
os.setregid(group_gid, group_gid)
if ruid == 0:
# Means we haven't switched yet.
try:
(
user_name,
user_password,
user_uid,
user_gid,
user_gecos,
user_homedir,
user_shell
) = pwd.getpwnam(conf.process_username)
except KeyError:
print >> sys.stderr, "User %s does not exist" % (conf.process_username)
sys.exit(1)
# Set real and effective user if not the same as current.
if not user_uid == ruid:
log.debug("Switching real and effective user id to %d" % (user_uid), level=8)
os.setreuid(user_uid, user_uid)
def __init__(self, is_suid, via_sudo, signal_mode=None, uids=None, gids=None, groups=None, user_pwent=None):
self.is_suid = is_suid
self.suid_via_sudo = via_sudo
self.signal_mode = signal_mode
self.uid, self.euid, self.suid = uids if uids is not None else os.getresuid()
self.gid, self.egid, self.sgid = gids if gids is not None else os.getresgid()
self.groups = groups if groups is not None else os.getgroups()
self.user_pwent = user_pwent if user_pwent is not None else pwd.getpwuid(self.uid)
self.root_pwent = pwd.getpwuid(self.euid)
assert (self.user_pwent.pw_uid == self.uid)
assert (self.root_pwent.pw_uid == self.euid)
return
def as_critic_system_user():
if installation.is_quick_start:
yield
return
saved_cwd = os.getcwd()
os.chdir(tempfile.gettempdir())
os.setegid(installation.system.gid)
os.seteuid(installation.system.uid)
try:
yield
finally:
os.seteuid(os.getresuid()[0])
os.setegid(os.getresgid()[0])
os.chdir(saved_cwd)
def soft_info(req):
if not wapp.start(req, '__soft-info', '__soft-info', acclvl='ADMIN'):
return wapp.error_page()
tmpl_data = wapp.tmpl_data()
tmpl_data['version'] = wapp.version
tmpl_data['settings'] = wapp.conf.export()
tmpl_data['django_version'] = django.get_version()
tmpl_data['python_version'] = '{}.{}.{}'.format(sys.version_info.major, sys.version_info.minor, sys.version_info.micro)
tmpl_data['mysql_server_version'] = wapp.db.server_version()
tmpl_data['mysql_server_charset'] = wapp.db.server_charset()
tmpl_data['mysql_conn_version'] = wapp.db.conn_version()
tmpl_data['os_user_uid'] = os.getresuid()
tmpl_data['os_user_gid'] = os.getresgid()
tmpl_data['uwsgi_version'] = req.META.get('uwsgi.version', None)
return render(req, 'soft-info.html', wapp.end(tmpl_data))
def setUID_OK(gv, userName=None, uid=None, exitOnError=False):
global TAByel, TABerr, TAB
logger = gv.LN.logger.setLogger(gv, package=__name__)
calledBy = gv.LN.sys.calledBy
logger.info('entered - [called by:%s]' % (calledBy(1)))
TAByel = gv.LN.cYELLOW + ' '*8
TABerr = gv.LN.cERROR + ' '*8
TAB = gv.LN.cGREEN + ' '*8
ruid, euid, suid = os.getresuid() # real, effective, and saved user ids
# ------------------------------
# - catturiamo lo UID
# ------------------------------
if userName != None:
reqUID = pwd.getpwnam(userName).pw_uid
elif uid != None:
reqUID = uid
else:
reqUID = ruid # preleva il REAL-UID
# reqUID = suid # preleva il SAVED-UID
logger.info('')
msg = 'Requested setUID for username:[{}:{}]'.format(pwd.getpwuid(reqUID).pw_name, reqUID)
logger.info(TAB + msg)
msg = 'currUser:[{}:{}] ruid:{} euid:{} suid:{} '.format(pwd.getpwuid(os.getuid()).pw_name, os.geteuid(), ruid, euid, suid)
logger.info(TAB + msg)
# --------------------------------------------
# - Se il current euid!=0 non possiamo
# - fare il setUID per un altro user
# - Switch temporaneo su root per permetterlo
# ---------------------------------------------
rCode = 0
if euid != 0 and euid != reqUID:
rCode = processSetUid(gv, 0, exitOnError)
if rCode == 0:
rCode = processSetUid(gv, reqUID, exitOnError)
return rCode
def chOwn(gv, fileName, user_group=None, UID=-1, GID=-1):
logger = gv.LN.logger.setLogger(gv, package=__name__)
TAByel = gv.LN.cYELLOW + ' '*8
TABerr = gv.LN.cERROR + ' '*8
if user_group:
if user_group == '-:-': return 0
userName, groupName = user_group.split(':')
stat = os.stat(fileName)
UID = pwd.getpwnam(userName).pw_uid
GID = grp.getgrnam(groupName).gr_gid
msg = "Before1 {} - chown {} {} {}".format(os.geteuid(), fileName, UID, GID)
# print (msg)
realUID, eUID, savedUID = os.getresuid() # SAVE dello user corrente
# msg = "Before2 {} - chown {} {} {}".format(os.geteuid(), fileName, UID, GID)
# print (msg)
rCode = 1
errMsg = ''
try:
'''
savedUID = os.geteuid() # SAVE dello user corrente
os.seteuid(os.getuid()) # impostiamo il REAL_USER
os.chown(fileName, UID, GID) # mantenere l'ordine GID-UID
os.seteuid(savedUID) # ripristiniamo lo user
'''
os.seteuid(realUID) # impostiamo il REAL_USER
os.chown(fileName, UID, GID) # mantenere l'ordine GID-UID
print('OK')
rCode = 0
except PermissionError as why:
errMsg = "chown: - Permission Error {}".format(str(why))
print(TABerr + errMsg)
except:
errMsg = "Unexpected ERROR: {}".format(msg, str(sys.exc_info()[0]))
print(TABerr + errMsg)
# finally:
# print('ERR3', rCode)
os.seteuid(savedUID) # ripristiniamo lo user
return rCode
def get_current_os_user():
"""
Find the real user who runs the current process. Return a tuple of uid, username, homedir.
:rtype: (int, str, str, int)
"""
user_name = os.getenv('SUDO_USER')
if not user_name:
user_name = os.getenv('USER')
if user_name:
pw = getpwnam(user_name)
user_uid = pw.pw_uid
else:
# If cannot find the user, use ruid instead.
user_uid = os.getresuid()[0]
pw = getpwuid(user_uid)
user_name = pw.pw_name
user_gid = pw.pw_gid
user_home = pw.pw_dir
return user_uid, user_name, user_home, user_gid
def _find_agent(cls):
"""Discover if a gpg-agent process for the current euid is running.
If there is a matching gpg-agent process, set a :class:`psutil.Process`
instance containing the gpg-agent process' information to
:attr:`GPG._agent_proc`.
:returns: True if there exists a gpg-agent process running under the
same effective user ID as that of this program. Otherwise,
returns None.
"""
identity = os.getresuid()
for proc in psutil.process_iter():
if (proc.name == "gpg-agent") and proc.is_running:
log.debug("Found gpg-agent process with pid %d" % proc.pid)
if proc.uids == identity:
log.debug("Effective UIDs of this process and gpg-agent match")
setattr(cls, "_agent_proc", proc)
return True
def demote(user_uid, user_gid):
realUID, eUID, savedUID = os.getresuid() # SAVE dello user corrente
report_ids("Before run [{}]".format(pwd.getpwuid(eUID)))
report_ids("executing setUID with user [{}]".format(pwd.getpwuid(realUID)))
# -------------------------------------------------------------
# Set user to realUID (qello del login) per fare il setUID
# Il tutto dovrebbe rimanere nello scope del processo perch*
# sotto la funzione che segue.
# -------------------------------------------------------------
def result():
report_ids("STARTING demotion[{}]".format(pwd.getpwuid(eUID)))
os.seteuid(realUID) # Per abilitare a dare il comando
os.setgid(user_gid)
os.setuid(user_uid)
report_ids("FINISHED demotion[{}]".format(pwd.getpwuid(eUID)))
report_ids("After run [{}]".format(pwd.getpwuid(eUID)))
return result
def set_user_group(self, user, group, real=False):
try:
(ruid, euid, suid) = os.getresuid()
(rgid, egid, sgid) = os.getresgid()
if group:
gid = grp.getgrnam(group)
egid = gid.gr_gid
if real:
os.setresgid(egid, egid,rgid)
else:
os.setresgid(rgid, egid, rgid)
if user:
uid = pwd.getpwnam(user)
euid = uid.pw_uid
if real:
os.setresuid(euid, euid, ruid)
else:
os.setresuid(ruid, euid, ruid)
except Exception, e:
log.error("Error: %s" % e)
exit(1)
def SwitchRoot():
if os.getresuid().suid == 0:
os.setuid(0)
os.setgid(0)
def test_os_setresuid(self):
os = self.posix
a, b, c = os.getresuid()
os.setresuid(a, b, c)
def test_os_getresuid(self):
os = self.posix
res = os.getresuid()
assert len(res) == 3
def __init__(self, *args, **kw):
if kw.has_key('name'):
name = kw['name']
elif len(args) == 1:
name = args[0]
else:
name = 'pykolab'
logging.Logger.__init__(self, name)
plaintextformatter = logging.Formatter("%(asctime)s %(name)s %(levelname)s %(message)s")
if not self.fork:
self.console_stdout = logging.StreamHandler(sys.stdout)
self.console_stdout.setFormatter(plaintextformatter)
self.addHandler(self.console_stdout)
if kw.has_key('logfile'):
self.logfile = kw['logfile']
else:
self.logfile = '/var/log/kolab/pykolab.log'
group_gid = 0
user_uid = 0
# Make sure (read: attempt to change) the permissions
try:
try:
(ruid, euid, suid) = os.getresuid()
(rgid, egid, sgid) = os.getresgid()
except AttributeError, errmsg:
ruid = os.getuid()
rgid = os.getgid()
if ruid == 0:
# Means we can setreuid() / setregid() / setgroups()
if rgid == 0:
# Get group entry details
try:
(
group_name,
group_password,
group_gid,
group_members
) = grp.getgrnam(self.process_groupname)
except KeyError, errmsg:
group_name = False
if ruid == 0:
# Means we haven't switched yet.
try:
(
user_name,
user_password,
user_uid,
user_gid,
user_gecos,
user_homedir,
user_shell
) = pwd.getpwnam(self.process_username)
except KeyError, errmsg:
user_name = False
def run(self):
"""Run Forest, RUN!"""
exitcode = 0
utils.ensure_directory(
os.path.dirname(conf.pidfile),
conf.process_username,
conf.process_groupname
)
try:
try:
(ruid, euid, suid) = os.getresuid()
(rgid, egid, sgid) = os.getresgid()
except AttributeError, errmsg:
ruid = os.getuid()
rgid = os.getgid()
if ruid == 0:
# Means we can setreuid() / setregid() / setgroups()
if rgid == 0:
# Get group entry details
try:
(
group_name,
group_password,
group_gid,
group_members
) = grp.getgrnam(conf.process_groupname)
except KeyError:
print >> sys.stderr, _("Group %s does not exist") % (
conf.process_groupname
)
sys.exit(1)
# Set real and effective group if not the same as current.
if not group_gid == rgid:
log.debug(
_("Switching real and effective group id to %d") % (
group_gid
),
level=8
)
os.setregid(group_gid, group_gid)
if ruid == 0:
# Means we haven't switched yet.
try:
(
user_name,
user_password,
user_uid,
user_gid,
user_gecos,
user_homedir,
user_shell
) = pwd.getpwnam(conf.process_username)
except KeyError:
print >> sys.stderr, _("User %s does not exist") % (
conf.process_username
)
sys.exit(1)
# Set real and effective user if not the same as current.
if not user_uid == ruid:
log.debug(
_("Switching real and effective user id to %d") % (
user_uid
),
level=8
)
os.setreuid(user_uid, user_uid)
def is_root(self):
# surprisingly, even when running under sudo we have all 3 set to 0
r, e, s = os.getresuid()
is_root = r==0 and e==0 and s==0
return is_root
import os, pwd, grp
#Throws OSError exception (it will be thrown when the process is not allowed
#to switch its effective UID or GID):
def drop_privileges():
if os.getuid() != 0:
# We're not root so, like, whatever dude
return
# Get the uid/gid from the name
user_name = os.getenv("SUDO_USER")
pwnam = pwd.getpwnam(user_name)
# Remove group privileges
os.setgroups([])
# Try setting the new uid/gid
os.setgid(pwnam.pw_gid)
os.setuid(pwnam.pw_uid)
# Ensure a very conservative umask
old_umask = os.umask(0o22)
#Test by running...
#./drop_privileges
#sudo ./drop_privileges
if __name__ == '__main__':
print(os.getresuid())
drop_privileges()
print(os.getresuid())
def _logOpen(cmd_name):
log.log_open("tsadm"+__RUN_MODE+"cli")
log.inf("start: ", cmd_name)
log.inf("user: ", os.getresuid(), os.getresgid())
