On leden 20th, 2015, 8:48 odp. CET, Miloslav Trmac wrote:

src/rolekit/async.py (Diff revision 1)
def input_handler(unused_fd, condition, unused_data):
		294	def demote(user_uid, user_gid):

AFAICS calling the demote() function is superfluous and, to me,  confusing; we only need to pass the set_ids callable.

On leden 21st, 2015, 4:21 odp. CET, Stephen Gallagher wrote:

I actually looked up how to do this in several places and all the examples I could find insisted that it had to be done this way or else the calling application would also be affected by the permission drop. I'm choosing to trust them.

On leden 21st, 2015, 5:35 odp. CET, Miloslav Trmac wrote:

Testing disagrees:



import os, subprocess
def set_ids(): os.setregid(1,1); os.setreuid(1,1)
 ... 
p = subprocess.Popen(['/bin/id', '-a'], preexec_fn = set_ids)
 uid=1(bin) gid=1(bin) skupiny=1(bin),0(root) kontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
print os.geteuid()
 0
print os.getuid()
 0
print os.getegid()
 0
print os.getgid()
 0




(and this also shows that supplementary groups need to be dropped.  Will raise both separately in the new patch.)

On one more thought…
1) The only way those “several places” make sense to me is that calling set_ids() within the parent process, instead of just referring to its name, would indeed affect the parent; that this is a syntax confusion and the existence of demote allows using preexec_fn = some_function_name_and_parentheses() hiding this syntax confusion.  Just a guess, though.
2) Actually, the middle function might be useful to avoid a circular reference between subprocess_future closure <-> the Popen object .  I’m not actually sure how Python does this (would the “process” variable be a part of the closure?) but using a smaller closure is more obviously refcounting-friendly.  So let’s keep it as it is.

- Miloslav

On leden 21st, 2015, 4:49 odp. CET, Stephen Gallagher wrote:

Allow impersonating a different UID/GID in subprocesses