privileges::drop(3pm) [debian man page]
Privileges::Drop(3pm) User Contributed Perl Documentation Privileges::Drop(3pm) NAME
Privileges::Drop - A module to make it simple to drop all privileges, even POSIX groups. DESCRIPTION
This module tries to simplify the process of dropping privileges. This can be useful when your Perl program needs to bind to privileged ports, etc. This module is much like Proc::UID, except that it's implemented in pure Perl. Special care has been taken to also drop saved uid on platforms that support this, currently only test on on Linux. SYNOPSIS
use Privileges::Drop; # Do privileged stuff # Drops privileges and sets euid/uid to 1000 and egid/gid to 1000. drop_uidgid(1000, 1000); # Drop privileges to user nobody looking up gid and uid with getpwname # This also set the environment variables USER, LOGNAME, HOME and SHELL. drop_privileges('nobody'); METHODS
drop_uidgid($uid, $gid, @groups) Drops privileges and sets euid/uid to $uid and egid/gid to $gid. Supplementary groups can be set in @groups. drop_privileges($user) Drops privileges to the $user, looking up gid and uid with getpwname and calling drop_uidgid() with these arguments. The environment variables USER, LOGNAME, HOME and SHELL are also set to the values returned by getpwname. Returns the $uid and $gid on success and dies on error. NOTE: If drop_privileges() is called when you don't have root privileges it will just return undef; NOTES
As this module only uses Perl's built-in functions, it relies on them to work correctly. That means setting $GID and $EGID should also call setgroups(), something that might not have been the case before Perl 5.004. So if you are running an older version, Proc::UID might be a better choice. AUTHOR
Troels Liebe Bentsen <tlb@rapanden.dk> COPYRIGHT
Copyright(C) 2007-2009 Troels Liebe Bentsen This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself. perl v5.14.2 2012-03-10 Privileges::Drop(3pm)
Check Out this Related Man Page
setuid(2) System Calls setuid(2) NAME
setuid, setegid, seteuid, setgid - set user and group IDs SYNOPSIS
#include <sys/types.h> #include <unistd.h> int setuid(uid_t uid); int setgid(gid_t gid); int seteuid(uid_t euid); int setegid(gid_t egid); DESCRIPTION
The setuid() function sets the real user ID, effective user ID, and saved user ID of the calling process. The setgid() function sets the real group ID, effective group ID, and saved group ID of the calling process. The setegid() and seteuid() functions set the effective group and user IDs respectively for the calling process. See intro(2) for more information on real, effective, and saved user and group IDs. At login time, the real user ID, effective user ID, and saved user ID of the login process are set to the login ID of the user responsible for the creation of the process. The same is true for the real, effective, and saved group IDs; they are set to the group ID of the user responsible for the creation of the process. When a process calls one of the exec(2) family of functions to execute a file (program), the user and/or group identifiers associated with the process can change. If the file executed is a set-user-ID file, the effective and saved user IDs of the process are set to the owner of the file executed. If the file executed is a set-group-ID file, the effective and saved group IDs of the process are set to the group of the file executed. If the file executed is not a set-user-ID or set-group-ID file, the effective user ID, saved user ID, effective group ID, and saved group ID are not changed. If the {PRIV_PROC_SETID} privilege is asserted in the effective set of the process calling setuid(), the real, effective, and saved user IDs are set to the uid argument. If the uid argument is 0 and none of the saved, effective or real UID is 0, additional restrictions apply. See privileges(5). If the {PRIV_PROC_SETID} privilege is not asserted in the effective set, but uid is either the real user ID or the saved user ID of the calling process, the effective user ID is set to uid. If the {PRIV_PROC_SETID} privilege is asserted in the effective set of the process calling setgid(), the real, effective, and saved group IDs are set to the gid argument. If the {PRIV_PROC_SETID} privilege is not asserted in the effective set, but gid is either the real group ID or the saved group ID of the calling process, the effective group ID is set to gid. RETURN VALUES
Upon successful completion, 0 is returned. Otherwise, -1 is returned and errno is set to indicate the error. ERRORS
The setuid() and setgid() functions will fail if: EINVAL The value of uid or gid is out of range. EPERM For setuid() and seteuid(), the {PRIV_PROC_SETID} privilege is not asserted in the effective set of the calling process and the uid argument does not match either the real or saved user IDs, or an attempt is made to change to UID 0 and none of the existing UIDs is 0, in which case additional privileges are required. For setgid() and setegid(), the {PRIV_PROC_SETID} privilege is not asserted in the effective set and the gid argument does not match either the real or saved group IDs. ATTRIBUTES
See attributes(5) for descriptions of the following attributes: +-----------------------------+-----------------------------+ | ATTRIBUTE TYPE | ATTRIBUTE VALUE | +-----------------------------+-----------------------------+ |Interface Stability |Standard | +-----------------------------+-----------------------------+ |MT-Level |Async-Signal-Safe | +-----------------------------+-----------------------------+ SEE ALSO
intro(2), exec(2), getgroups(2), getuid(2), stat.h(3HEAD), attributes(5), privileges(5), standards(5) SunOS 5.10 20 Jan 2003 setuid(2)