更新时间:2023-12-05 18:11:58
如果你想要 POSIX,那么 su
是你唯一的选择(除非你想写一个 C 程序).su
有几个优点(或没有,取决于您的要求):
If it's POSIX you want, then su
is your only option (unless you want to write a C program). su
has several advantages (or not, depending on your requirements):
现在在实践中,有些系统不是 POSIX——比如这个旧的 Linux,它在用户命名空间中失败.他们是休息时间.
Now in practice some systems aren't POSIX — like this older Linux where it fails in user namespaces. Them's the breaks.
如果您想要在实践中具有相当可移植性的东西(在非嵌入式平台上)并且可以为您提供更大的控制权,请使用 Perl(或 Python,安装较少).作为首选,使用可靠的模块:Privilege::Drop.
If you want something that's reasonably portable in practice (on non-embedded platforms) and that gives you a greater decree of control, use Perl (or Python, a bit less commonly installed). For preference, use a solid module: Privilege::Drop.
perl -e 'use Privileges::Drop; drop_uid_gid(123, 456); exec("/path/to/command", "--option", "an argument")'
Privilege::Drop
负责做正确的事情(删除补充组,检查错误).然而,它可能并不完整;例如,它不知道功能.
Privilege::Drop
takes care of doing things right (dropping supplemental groups, checking for errors). It might not be complete, however; for example it isn't aware of capabilities.
如果您必须手动完成,请注意以下几点:
If you must do it by hand, take care of several things:
$) = "456 456"
其中 456 是目标 GID ($) = 456
只会设置 EGID 而不会影响补充组组).$) = "456 456"
where 456 is the target GID ($) = 456
would only set the EGID without affecting the supplemental groups).