Throughout this node when I will refer to Unix UIDs. However everything said also applies to Unix GIDs as well.

Introduction

My current project is finding ways to improve Perl's handling of Unix privileges. Those of you on the p5p list will have recently seen some discussion from me in this regard.

Unix privileges are a difficult and often inconsistant area to work with. How privileges are handled and manipulated can change between operating systems, between releases of the same operating system, and upon the privileges of the user trying to manipulate privileges.

A good discussion on the tangle of Unix privileges can be found in Setuid Demystified by Chen, Wagner and Dean.

Current Issues

Perl's current handling of Unix privileges is presently incomplete for modern day Unix systems, and one of my goals is to make it complete. The most notable issues that currently exist are:

• Perl has native concepts of real and effective UIDs, but no native concept of saved UIDs that exist on SysV systems and relations.
• Not being able to manipulate saved UIDs makes it difficult or impossible for a process to fully drop privileges.
• All UIDs, including saved UIDs, can be manipulated using syscall(), or breaking into XS, however the programmer must be careful to manually update Perl's internal PL_uid and PL_euid variables, otherwise $< and $> will cache incorrect information.
• The POSIX::setuid() operates differently depending upon operating system, and differently depending upon current privileges. This is not a fault of Perl, but instead is due to the multiple ways in which vendors have interpreted the POSIX standard for setuid().
• Any solution that does use POSIX::setuid(), or makes use of syscall or XS is likely to be non-portable between systems.

Proposed Solution - Proc::UID

In order to provide a consistant, portable, and easy-to-understand interface to the Unix UID tangle, I've started work on Proc::UID. This module is based upon the following design goals:

• It should make available all three commonly found Unix UIDs -- namely the real, effective, and saved UIDs.
• It should be consistant and easy to understand.
• It should be difficult to make mistakes.

The the first goal (make available all Unix UIDs) involves coding the appropriate hooks for each Unix flavoured system. This work is not yet complete, but will occur as I arrange access to documentation and testing facilities for each operating system concerned.

The second goal (easy to understand) is achieved by providing a non-cached, variable based interface providing the variables $RUID, $EUID and $SUID, for real, effective, and saved UIDs respectively. Reading a variable retrieves the current UID value, and setting a variable attempts to change that UID (and only that UID) with the operating system.

The second goal is also served by presenting an equivilent functional interface with get[res]uid() and set[res]uid(). Again, these manipulate only a single UID at a time.

Finally, Proc::UID presents a preferred interface based upon the recommendations of Chen, Wagner and Dean. It provides three functions that allow for the most commonly executed logical UID manipulations:

drop_uid_temp($new_uid)

Temporarily drops privileges to $new_uid. This has the effect of setting the effective UID to $new_uid, and the saved UID to the previous effective UID.

drop_uid_perm($new_uid)

Permanently drops privileges to $new_uid by setting the real, effective, and saved UIDs to $new_uid.

restore_uid()

Restore privileges previously dropped using drop_uid_temp(). This is done by setting the effective UID to the saved UID.

The third goal, making it difficult for mistakes to happen, is served by having all code that attempts to change privileges check that the change succeeded. Any operation that is intended to permanently drop privileges will also test to ensure they cannot be regained. All the logical operations test to ensure that the expected goal state is obtained.

Any failure to achieve the expected results described above will result in an exception being thrown. This makes it difficult for a careless program to continue to operate after it has failed to successfully manipulate its privileges, and potentially perform undesirable operations.

The Request

I would appreciate feedback on the Proc::UID module, which I have released on CPAN for testing and review. Questions, comments, notifications of glaring holes, better ways to do things, existing wheels, or any other feedback is appreciated.

Many thanks,

---

---

Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!

Titles consisting of a single word are discouraged, and in most cases are disallowed outright.

Read Where should I post X? if you're not absolutely sure you're posting in the right place.

Please read these before you post! —

• How do I compose an effective node title?
• How do I post a question effectively?
• Markup in the Monastery

Posts may use any of the Perl Monks Approved HTML tags:

a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr

You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)

	For:		Use:
	&		&
	<		&lt;
	>		&gt;
	[		&#91;
	]		&#93;

Link using PerlMonks shortcuts! What shortcuts can I use for linking?

See Writeup Formatting Tips and other pages linked from there for more info.