[Techtalk] dropping group memberships/privileges

Riccarda Cassini riccarda.cassini at gmx.de
Mon Oct 18 20:51:49 EST 2004 

Hi everyone,

I'm trying to drop all of my group memberships except for my primary
group.  Reason is, I'd like to test-run some code written by myself in
my client's production environment... (last time I did this, I created
a bit of a mess, and, although my new script works beautifully in my
local test environment, I'm just a little panic-stricken, now... :-)
Basically, the problem is, with my normal group privileges, I could
overwrite/delete many existing files, which I'm definitely supposed to
keep my fingers off.  In other words, I want to safeguard myself
against potential flaws in my own programming - and I thought it would
be a good idea to let the OS do it...

Searching for a command that would allow me to drop groups, I dimly
remembered that there is a command "setgroups" on some unixes (which I
verified to exist at least for AIX 5.1), but there doesn't seem to be
anything comparable on Linux - or I wasn't able to find what it's
called...  newgrp(1) only allows me to change my primary group, leaving
the list of supplementary groups as is, and setgroups(2) seems to be
available as a system call interface only, on Linux...

Okay, I thought, why not just write it myself, in perl.  So, after
having read the docs (the respective section in "perldoc perlvar", in
particular), I tried

    my $gid = $)+0;     # my primary group
    $) = "$gid $gid";   # drop all supplementary groups

    print "running as GIDs: $)\n";
    system "my potentially dangerous command here...";

which doesn't work - though I thought it should... ;-)
The 'print $)' is still printing the complete list of groups.
It does work, though, if I run the following similar piece of code as
root:

    my $gid = (getpwnam('ricci'))[3];
    $) = "$gid $gid";

    print "$)\n";

which seems to confirm my suspicion, that there's nothing wrong with
this code in principle, it's only that I'm not allowed to do this as a
normal user.  (BTW, I checked that the string assigned to $) is the
same in both cases...)

To summarise, my question is:  is there any way to get rid of groups
if you don't have root privileges (which I do not have on the remote
site...)?  Or are there any better ways to achieve the same effect,
i.e. is this simply the wrong approach, altogether?  Actually, I can't
see any security issues with dropping my own privileges - but I might
be overlooking something...

Riccarda  $:-)

More information about the Techtalk mailing list