[Techtalk] apache switching users to not nobody

Almut Behrens almut_behrens at yahoo.com
Tue Dec 11 13:18:08 EST 2001 

On Mon, Dec 10, 2001 at 10:05:43PM -0500, Michelle Murrain wrote:
> At 09:54 PM 12/10/2001, Laurel Fan wrote:
> >[1]. background: a process has both a real user ID and an effective
> >user ID (it also has a saved user ID, but we won't go into that here.)
> >Normally, these are the same, and correspond to the user who started
> >the process.  When running a setuid program (ie. one that has the
> >setuid bit set in its file permissions), the real user ID is set to
> >the user who started the process, and the effective user ID is set to
> >the user who owns the setuid program.  The process is supposed to act
> >like the effective user; it can open the effective user's files, etc.
> 
> Is there a good tutorial or howto out there on setuid? I've been struggling 
> with this for web perl scripting - and I can't seem to find a good 
> straightforward explanation of how to manipulate this. The camel book 
> doesn't even have one.

Perl has the special global variables $< (real UID), $> (effective UID)
and similarly $( and $) for the GIDs. By assigning to these you can
modify the UID/GID for the current process (if you are allowed to -- you
can change the real UID as root only, of course).

Admittedly, those variable names are a bit cryptic, and even when
trying to take advantage of the mnemonics suggested in the man page,
it's still not trivial to memorize which is which, in particular as
you don't need them everyday...  You can of course also "use English;"
and then write $UID / $EUID (or even $REAL_USER_ID / $EFFECTIVE_USER_ID
if you like), but be sure to take a look at the perlvar man page for
performance side effects involved (in combination with using regular
expression matching functions -- independently of whether you use
$UID etc. in the regex itself).

I don't know of a specific tutorial on set*id stuff, but any good unix
book should include a discussion of the concepts involved. I personally
very much like Richard Stevens' "Advanced Programming in the Unix
Environment". Also, the man pages (from category 2) do contain some
useful details on the low-level set*id functions. 

Cheers,

- Almut

More information about the Techtalk mailing list