我如何对当前进程进行sudo处理? [英] How do I sudo the current process?
问题描述
是否可以使用sudo前端(如gksudo)来提升 current 进程的特权?我知道我可以执行以下操作:
Is it possible to use a sudo frontend (like gksudo) to elevate the privileges of the current process? I know I can do the following:
sudo cat /etc/passwd-
但是我对此感兴趣:
sudo-become-root # magic function/command
cat /etc/passwd-
我正在用Python编写.我的用例是,我有一个以用户身份运行的程序,但可能会遇到以root身份拥有的要读取/写入的文件.我想提示输入密码,获得root特权,执行我需要的操作,然后有选择地再次放弃特权.
I'm writing in Python. My usecase is that I have a program that runs as the user, but may encounter files to read/write that are root-owned. I'd like to prompt for password, gain root privileges, do what I need, and then optionally drop privileges again.
我知道我可以将管理逻辑和非管理逻辑分离为单独的进程,然后仅以root身份运行管理进程(进行一些通信-policykit/dbus非常适合这里).但是我希望有一个更简单(尽管风险更大)的解决方案.
I know I could separate admin logic and non-admin logic into separate processes, and then just run the admin process as root (with some communication -- policykit/dbus would be a good fit here). But I was hoping for a much simpler (though admittedly more risky) solution.
我正在考虑通过sudo运行Solaris的ppriv来修改当前进程的特权.这似乎是一个hacky但可行的往返.但据我所知,Linux不提供ppriv.
I'm thinking something like running Solaris's ppriv through sudo to then modify the current process's privileges. Which seems like a hacky-but-workable roundtrip. But as far as I know, linux doesn't offer ppriv.
(令我惊讶的是,这还不是很明显;想要的事情似乎并不罕见,并且似乎并不是一个安全漏洞,允许进程内升级而不是升级一个新过程.)
(I'm surprised this isn't obvious already; it seems like a not-uncommon thing to want and doesn't seem to be a security hole to allow escalation in-process over escalation of a new process.)
推荐答案
不幸的是,我不知道一种干净地做自己想做的事情的方法.我认为最好的选择是使程序setuid(或在sudo下运行),然后执行肮脏的工作并删除权限,或者从一个进程中删除fork()并删除权限,并保留另一个进程来进行根工作
Unfortunately, I'm not aware of a way to do what you want to do cleanly. I think your best bet is to make the program setuid (or run it under sudo) and then either do your dirty work and drop permissions, or fork() and drop permissions from one process and keep the other one around to do your root work.
您要查找的是setuid(2)/setreuid(2)/setregid(2)/setgroups(2)调用,但是它们都很难通过连接来使您无法在调用过程中获得特权.据我所知,您只能使用它们放弃"特权.
What you're looking for are the setuid(2) / setreuid(2) / setregid(2) / setgroups(2) calls, but they are all hard wired to not allow you to gain privileges mid-invocation. You can only use them to "give away" privileges, as far as I know.
这篇关于我如何对当前进程进行sudo处理?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
