SPUG: Understanding RUID EUID and modules (fwd)

[Yitzchak Scott-Thoennes]

On Wed, May 16, 2007 12:16 pm, John Costello wrote:
> I'm puzzling over how Perl handles changes to $< and $> when run as root.
>
> What I'm trying to do:  Drop privileges to a non-root user, do some
> things, return to root privileges.  There may be better ways to do all
> this, but I'm more interested in why Perl behaves the way it does.

There's code you could copy and paste to do the
dropped-privileges code in a child process in
http://perldoc.perl.org/perlsec.html.

> print "RUID $< and EUID $>\n"; $< = $> = 8000;
> print "RUID now $< and EUID now $>\n"; $< = $> = 0;
> print "RUID set to $< and EUID set to $>\n";
>
> I get
>
> RUID 0 and EUID 0
> RUID now 8000 and EUID now 8000
> RUID set to 8000 and EUID set to 8000
>
> which is what I expect.
>
> If I dump
>
> $< = $> = 8000;
>
> into a module that I call from the main script, so that I now have this
> script
>
> print "RUID $< and EUID $>\n"; $results =
> local::SetPerms->changed_ruid_euid();
> print "RUID now $< and EUID now $>\n"; $< = $> = 0;
> print "RUID set to $< and EUID set to $>\n";
>
> I get
>
> RUID 0 and EUID 0
> RUID now 8000 and EUID now 8000
> RUID set to 0 and EUID set to 0
>
> which I didn't expect, because I don't know what is going on under the
> hood.
>
> So, do modules have their own $< and $>, copied from the main script?

No.

> Are modules run as separate processes?

No.

I suspect you reversed the order of the variables in your module.
At least, that's the only way I can duplicate your results.
Switching back to root seems to be allowed only if you change
ruid first when dropping privileges and last when raising them.

> Where would be a good spot to start
> reading (Programming Perl?)?

perlvar and some perlsec.  Your set*id man pages.

If you really want to know what's happening at the guts level, strace/
truss, or look at the source code: Perl_magic_set(), case '>' and case
'<', in http://public.activestate.com/pub/apc/perl-5.8.x/mg.c.