import os
import argparse
import logging
import sys
import pwd
import grp
from configparser import ConfigParser, NoSectionError, NoOptionError
def drop_privileges(uid_name=None, gid_name=None):
if uid_name is None:
uid_name = 'nobody'
try:
wanted_user = pwd.getpwnam(uid_name)
except KeyError:
logger.exception(
'Cannot drop privileges: user "{}" does not exist.'.
format(uid_name))
sys.exit(1)
if gid_name is None:
gid_name = grp.getgrgid(wanted_user.pw_gid).gr_name
try:
wanted_group = grp.getgrnam(gid_name)
except KeyError:
logger.exception(
'Cannot drop privileges: group "{}" does not exist.'.
format(gid_name))
sys.exit(1)
logger.debug('Attempting to drop privileges to "{}:{}"'.
format(wanted_user.pw_name, wanted_group.gr_name))
os.setgid(wanted_group.gr_gid)
os.setuid(wanted_user.pw_uid)
new_user = pwd.getpwuid(os.getuid())
new_group = grp.getgrgid(os.getgid())
logger.info('Privileges dropped, running as "{}:{}"'.
format(new_user.pw_name, new_group.gr_name))
if __name__ == "__main__":
config = ConfigParser(os.environ)
if os.getuid() == 0:
if not args.force:
logger.critical("Can't start conpot with root. Please ref user docs for more info.")
sys.exit(3)
else:
logger.warning('Running conpot with root. Running conpot with root isn\'t recommended. ')
if os.getuid() == 0:
try:
# retrieve user to run as
conpot_user = config.get('daemon', 'user')
except (NoSectionError, NoOptionError):
conpot_user = None
try:
# retrieve group to run as
conpot_group = config.get('daemon', 'group')
except (NoSectionError, NoOptionError):
conpot_group = None
# FIXME: drop privs require sudo
drop_privileges(conpot_user, conpot_group)
解释:
1、pwd模块
pwd模块提供了一个unix密码数据库即/etc/passwd的操作接口,这个数据库包含本地机器用户帐户信息
常用操作如下:
pwd.getpwuid(uid):返回对应uid的示例信息
示例:
>>> pwd.getpwuid(0)
pwd.struct_passwd(pw_name='root', pw_passwd='x', pw_uid=0, pw_gid=0, pw_gecos='root', pw_dir='/root', pw_shell='/bin/bash')
pwd.getpwnam(name):返回对应name的用户信息
示例:
>>> pwd.getpwnam('root')
pwd.struct_passwd(pw_name='root', pw_passwd='x', pw_uid=0, pw_gid=0, pw_gecos='root', pw_dir='/root', pw_shell='/bin/bash')
pwd.getpwall():返回所有的用户信息
示例:
import pwd
def get_user()
all_user = {}
for user in pwd.getpwall()
all_user[user[0]] = all_user[user[2]] = user
return all_user
def userinfo(uid):
return get_user()[uid]
执行结果:
print userinfo(0)
pwd.struct_passwd(pw_name='root', pw_passwd='x', pw_uid=0, pw_gid=0, pw_gecos='root', pw_dir='/root', pw_shell='/bin/bash')
print userinfo('root')
pwd.struct_passwd(pw_name='root', pw_passwd='x', pw_uid=0, pw_gid=0, pw_gecos='root', pw_dir='/root', pw_shell='/bin/bash')
2、grp模块
grp模块提供了一个操作unix用户组即/etc/group数据库的接口
常用操作如下:
grp.getgrgid(gid):返回对应gid的组信息
示例:
>>> print grp.getgrgid(0)
grp.struct_group(gr_name='root', gr_passwd='x', gr_gid=0, gr_mem=[])
grp.getgrnam(name):返回对应name的组信息
示例:
>>> print grp.getgrnam('root')
grp.struct_group(gr_name='root', gr_passwd='x', gr_gid=0, gr_mem=[])
grp.getgrall():返回所有的组信息