I believe that changing the uid of a different process can only happen with some deep kernel voodooo. The way it is typically done (via su / sudo) is such:

1. root process forks
2. root process drops privileges
3. now non-root process fork/execs to the new process

If the process is trusted, it may only do steps 1 and 2, and possibly retake privileges later.

See the $<, $>, $(, and $) variables in perlvar.

Update: added links

Update 2: This is not an endeavor to be take lightly. Test for success on everything involving dropping your privileges. Understand the implications of what you are attempting to do. Root escalations have occurred because assumptions made by an application were violated.

You describe a way for a root-process to fork a *NEW* process with a different effective UID.

But the question was a bit weirder (if I understand if correctly) namely weather it is possible to change the id of a RUNNING process.

And I believe the answer to that is no - at least not with normal syscalls and certainly not with Perl.

This sounds like an XY problem to me. What are you trying to do?

Hello Monks,

Thank you for your reply's

What I am trying to do is change an apache child to the user and group id's that matches the vhost when a request comes in.

I managed to do this in mod_perl but the problem is that once changed to a certain userid you cannot go back (which makes sense). and apache had to run as root which is also a bit....

So the only option is to only use the child once and let it die or (and I haven't figured out how to do this) remember which userid a child has and once a next request comes in reuse this child. But this seems impossible in apache since thehe connection get passed to a child and only after wards it gets decided which vhost it should handle.

So I thought it would be nice if I could have a child signal a process running as root and have that process change the childs id and when the child signals it's finished finishes change it back.

In the responses I got so far it seems this is rather impossible or causes very much overhead.

But if anyone has a good suggestion for this it would be appriciated.

Regards

Hans

What I am trying to do is change an apache child to the user and group id's that matches the vhost when a request comes in.

Why do you think you need to do that?

Search the Apache documentation for suexec if you need to run code under a different user ID. Also think about using static FastCGI servers: They can run under any user ID you like, and if they crash, they don't kill the entire webserver.

Alexander

--
Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)

macron0:

If you can do it, it's a security problem. Hence, I expect that the OS is going to make it as difficult as possible.

Gee, I can't read file XYZ because it's owned by fred. OK, I'll make a file reader owned by fred to read it! Huzzah!

...roboticus