Compare commits
No commits in common. "dev-old" and "master" have entirely different histories.
1 changed files with 8 additions and 22 deletions
30
mm.py
30
mm.py
|
@ -277,32 +277,18 @@ class Modem:
|
||||||
pw_record = pwd.getpwnam(RUN_AS)
|
pw_record = pwd.getpwnam(RUN_AS)
|
||||||
uid, gid = pw_record.pw_uid, pw_record.pw_gid
|
uid, gid = pw_record.pw_uid, pw_record.pw_gid
|
||||||
def demote():
|
def demote():
|
||||||
PR_SET_NO_NEW_PRIVS = 38
|
PR_SET_NO_NEW_PRIVS = 38
|
||||||
PR_CAP_AMBIENT = 47
|
PR_CAP_AMBIENT = 47
|
||||||
PR_CAP_AMBIENT_CLEAR_ALL = 4
|
PR_CAP_AMBIENT_CLEAR_ALL = 4
|
||||||
PR_GET_SECUREBITS = 27
|
PR_GET_SECUREBITS = 27
|
||||||
PR_SET_SECUREBITS = 28
|
PR_SET_SECUREBITS = 28
|
||||||
libc = ctypes.CDLL('/usr/lib/libc.so.6')
|
libc = ctypes.CDLL('libc.so.6')
|
||||||
assert libc.prctl(
|
libc.prctl.restype = ctypes.c_int
|
||||||
ctypes.c_int(PR_SET_NO_NEW_PRIVS),
|
assert libc.prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == 0
|
||||||
ctypes.c_int(1),
|
assert libc.prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0) == 0
|
||||||
ctypes.c_int(0),
|
assert libc.prctl(PR_SET_SECUREBITS, 0x2f) == 0
|
||||||
ctypes.c_int(0),
|
# SECBIT_KEEP_CAPS_LOCKED | SECBIT_NO_SETUID_FIXUP | SECBIT_NO_SETUID_FIXUP_LOCKED | SECBIT_NOROOT | SECBIT_NOROOT_LOCKED
|
||||||
ctypes.c_int(0)
|
assert libc.prctl(PR_GET_SECUREBITS) == 0x2f
|
||||||
) == 0
|
|
||||||
assert libc.prctl(
|
|
||||||
ctypes.c_int(PR_CAP_AMBIENT),
|
|
||||||
ctypes.c_int(PR_CAP_AMBIENT_CLEAR_ALL),
|
|
||||||
ctypes.c_int(0),
|
|
||||||
ctypes.c_int(0),
|
|
||||||
ctypes.c_int(0)
|
|
||||||
) == 0
|
|
||||||
libc.prctl(
|
|
||||||
PR_SET_SECUREBITS,
|
|
||||||
ctypes.c_int(0x2f) # SECBIT_KEEP_CAPS_LOCKED | SECBIT_NO_SETUID_FIXUP | SECBIT_NO_SETUID_FIXUP_LOCKED | SECBIT_NOROOT | SECBIT_NOROOT_LOCKED
|
|
||||||
)
|
|
||||||
assert libc.prctl(ctypes.c_int(PR_GET_SECUREBITS)) == 0x2f
|
|
||||||
|
|
||||||
os.setgroups([])
|
os.setgroups([])
|
||||||
os.setresgid(gid, gid, gid)
|
os.setresgid(gid, gid, gid)
|
||||||
os.setresuid(uid, uid, uid)
|
os.setresuid(uid, uid, uid)
|
||||||
|
|
Loading…
Reference in a new issue