challenging problem for changing to a dedicated non-privilegeduser within a script.

[Krishnakant]

hello all,
This is a real challenge and I don't know if a solution even exists for
this or not.

I am writing an application which I run as my usual user on ubuntu.
the usernake is let's say kk and it has sudo permission (meaning the
user is in the sudoers list ).


now when i do python myscript.py, the script has to change to another
non-privileged user for some tasks.
let's say for example switch to the postgres user which is dedicated for
postgres and has no other privileges.

I have tryed doing os.setuid(112) where 112 could be the uid of the user
I want the script to swith over.


but I got opperation not permitted.

I tryed using subprocess but that did not help me either. I tryed sudo
su into the Popen command but it throws me into the terminal (shell)
with postgres as the user.

But that's now my desired result.
what I exactly want is that the script now continues to execute under
postgres user till the end.

I don't know how to achieve this iffect.

Infact I will need this during a serious deployment because i would have
my application run as a demon as a dedicated user.

I am finding some code for deamonising a python application but don't
know how to tell the script to change user.

happy hacking.
Krishnakant.

 

[Piet van Oostrum]

K> hello all,
K> This is a real challenge and I don't know if a solution even exists for
K> this or not.

K> I am writing an application which I run as my usual user on ubuntu.
K> the usernake is let's say kk and it has sudo permission (meaning the
K> user is in the sudoers list ).

K> now when i do python myscript.py, the script has to change to another
K> non-privileged user for some tasks.
K> let's say for example switch to the postgres user which is dedicated for
K> postgres and has no other privileges.

K> I have tryed doing os.setuid(112) where 112 could be the uid of the user
K> I want the script to swith over.

K> but I got opperation not permitted.

Being a sudoer is not a privilege to issue the os.setuid system call. It
is only a permission to use the sudo command.

K> I tryed using subprocess but that did not help me either. I tryed sudo
K> su into the Popen command but it throws me into the terminal (shell)
K> with postgres as the user.

You could execute the command:
sudo -u postgres required_command
with subprocess.

You have another problem then: your password must be supplied unless the
NOPASSWD flag is set in the sudoers file.

K> But that's now my desired result.
K> what I exactly want is that the script now continues to execute under
K> postgres user till the end.

I don't think that's possible if you start as the user kk.

K> I don't know how to achieve this iffect.

K> Infact I will need this during a serious deployment because i would have
K> my application run as a demon as a dedicated user.

 

[Krishnakant]

Being a sudoer is not a privilege to issue the os.setuid system call. It
is only a permission to use the sudo command.

Yes, So I would like to know if python can change the user to some other
non-privileged user during the script execution?

You could execute the command:
sudo -u postgres required_command
with subprocess.

Ok, but the problem is much more complex.
What if I want to do the following.
1, change the user for a particular script to the postgres user.
2. now execute the python code for connecting to the postgresql
database.
In the second point I actually want to execute python code not shell
level command so will the sudo -u in the subprocess.Popen change the
user in the script?
In short I would just like to have the script run under another user
let's say postgres as long as a certain action is going on, for example
connecting to the postgresql database.

You have another problem then: your password must be supplied unless the
NOPASSWD flag is set in the sudoers file.

That is clear, the only problem is that I want the script to run as
postgres user although it was started by the user kk.


happy hacking.
Krishnakant.

 

[paul]

Yes, So I would like to know if python can change the user to some other
non-privileged user during the script execution?

If the user running python program is allowed to call setuid() then yes.

Ok, but the problem is much more complex. No.

What if I want to do the following.
1, change the user for a particular script to the postgres user.

Did you try running "sudo -u postgres blabla" with subprocess?

2. now execute the python code for connecting to the postgresql
database.
In the second point I actually want to execute python code not shell
level command so will the sudo -u in the subprocess.Popen change the
user in the script?

No, as the name "subprocess" suggests you are spawning a new process
which gets another uid through sudo. This does not affect the parent
process.

hth
Paul

 

[Piet van Oostrum]

K> Yes, So I would like to know if python can change the user to some other
K> non-privileged user during the script execution?

As I said you can't (unless you are root). It would be a security leak if
an arbitrary user could suddenly run as another user. Sudo is the escape
mechanism but it runs commands, and is not for changing the uid in the
middle of a process.

K> Ok, but the problem is much more complex.
K> What if I want to do the following.
K> 1, change the user for a particular script to the postgres user.
K> 2. now execute the python code for connecting to the postgresql
K> database.
K> In the second point I actually want to execute python code not shell
K> level command so will the sudo -u in the subprocess.Popen change the
K> user in the script?

You can run another python script as the other user (o even the same
python script). You said you tried subprocess. If that is acceptable
then running another python script should also be acceptable, becaus eit
is basically the same.

K> In short I would just like to have the script run under another user
K> let's say postgres as long as a certain action is going on, for example
K> connecting to the postgresql database.

Why would you have to be another user for connecting to a postgres
database? The DBMS takes care of the permissions at the DB level.

Otherwise you would have to do the DB access in another script. The
script could even communicate withe the original script, e.g by pipes or
some protocol like XMLRPC.

 

[Krishnakant]

If the user running python program is allowed to call setuid() then yes.

NO, i don't think i can do that. I am getting opperation not permitted.

Any ways I think probably subprocess will have to sort it out.

Did you try running "sudo -u postgres blabla" with subprocess?

Yes, but still not got the intended result which is now obvious.

No, as the name "subprocess" suggests you are spawning a new process
which gets another uid through sudo. This does not affect the parent
process.

Ok then here is the work-around which I am thinking to try, Plese tell
me if it is correct.
I will let that subprocess start python inthe background and execute the
connecting code to postgresql including importing the pygresql library.
Then I will create the connection and cursor objcts in that subprocess.
But my concern is, will the connection object in the child process
(subprocess) be available to the parrent process?


happy hacking.
Krishnakant.

 

[paul]

NO, i don't think i can do that. I am getting opperation not permitted.

Any ways I think probably subprocess will have to sort it out.

Yes, but still not got the intended result which is now obvious.

Why is that obvious? Works for me:

---- test.py ---------
#!/usr/bin/python

from subprocess import Popen, PIPE

cmd = Popen('sudo -u vboxadd /home/pkoelle/Documents/whoami.sh',
shell=True, stdout=PIPE, stderr=PIPE)
print "OUT: "+cmd.stdout.read()
print "ERR: "+cmd.stderr.read()

---- whoami.sh -----
#!/bin/bash
echo $UID
logger "whoami script called for $UID"

Of course, you need to adapt path and user values to your situation. The
user you use in your 'sudo -u <user>...' call needs execute permissions
for whoami.sh. The relevant entry in /etc/sudoers:

pkoelle ALL=NOPASSWD: /home/pkoelle/Documents/whoami.sh

hth
Paul

PS: This has absolutely nothing to do with "connecting to postgresql". A
"postgres user" is not a "system user" (Piet already asked the right
questions here

 

[Piet van Oostrum]

K> NO, i don't think i can do that. I am getting opperation not permitted.

K> Any ways I think probably subprocess will have to sort it out.
K> Ok then here is the work-around which I am thinking to try, Plese tell
K> me if it is correct.
K> I will let that subprocess start python inthe background and execute the
K> connecting code to postgresql including importing the pygresql library.
K> Then I will create the connection and cursor objcts in that subprocess.
K> But my concern is, will the connection object in the child process
K> (subprocess) be available to the parrent process?

No. However it is still not clear why you want to run under the postgres
user id. Why can't the original process not do the postgres connection?

If that is really impossible, then you might start the new process with
sudo and let it do a socket tunnelling to postgress, i.e. make a
connection to the postgres server and a socket connection to the
original Python script, and copy everything from one socket to the other
- in both directions. However this can also be done with a ssh tunnel
which might be simpler.