Change user on UNIX

[Giampaolo Rodola']

Hi all.
Is there any way to su or login as a different user within a python
script? I mainly need to temporarily impersonate another user to
execute a command and then come back to the original user.
I tried to google a little bit about it but I still didn't find a
solution.


Thanks in advance.

--- Giampaolo
http://code.google.com/p/pyftpdlib

 

[Bjoern Schliessmann]

Is there any way to su or login as a different user within a
python script? I mainly need to temporarily impersonate another
user to execute a command and then come back to the original user.
I tried to google a little bit about it but I still didn't find a
solution.

IMHO, the cleanest way from a security perspective would be using
sudo. root can even configure it in a way that you don't have to
type a password.

Regards,


Björn

 

[Jonathan Gardner]

Hi all.
Is there any way to su or login as a different user within a python
script? I mainly need to temporarily impersonate another user to
execute a command and then come back to the original user.
I tried to google a little bit about it but I still didn't find a
solution.

In the unix world, this is highly discouraged. You shouldn't have to
change your user. The only user who can change roles---and who should
change roles for security reasons---is root.

The only reason sudo is around is for those people who really are root
but who don't like logging in as root to do root work. With a very
limited permission set for sudo, it is very, very easy to get full
root access.

$ sudo cp /bin/cp /bin/cp.old; sudo cp /bin/su /bin/cp; sudo cp -
#

If you want a different user to access files that another user
created, that's what groups are for. You should create a common group
and then share the files by assigning them to that group and setting
the appropriate permissions. Yes, this is painful, and every once in a
while you get files that don't have the right permissions or the group
is set to the wrong group. But this is the cost of running on a system
where multiple users can be doing things all at once, and the cost of
trying to make sure that users can't hurt each other. Someone
somewhere has to say, "You are allowed to do this much, but no more".

If that's not what you need, then you need to run the process as root.
It can change its user and even chroot to a jail if need be. This is
how apache, for instance, works. It starts as root and spawns the
server processes as the apache user.

(Apache does have an interesting problem with home directories, and it
has a very special solution that is very insecure. Even there, the
better solution is to put all the user's files under a common group in
a common folder outside of their home directories.)

 

[Jeffrey Froman]

I mainly need to temporarily impersonate another user to
execute a command and then come back to the original user.

If the script is run as root, you can freely impersonate other users with
the os.seteuid() and os.setegid() methods.

If the script is not run as root (either directly or through sudo, as
suggested by other posters), then perhaps it should be.


Jeffrey

 

[Jeff Schwab]

In the unix world, this is highly discouraged. You shouldn't have to
change your user.

If you want a different user to access files that another user
created, that's what groups are for.

What's your take on setuid scripts (Python or otherwise)? I more or
less agree with your assessment of su, so I would be interested in your
opinion of chmod ug+s some_custom_script.

 

[Preston Landers]

In the unix world, this is highly discouraged. You shouldn't have to
change your user. The only user who can change roles---and who should
change roles for security reasons---is root.

IMHO this statement is a bit too broad. The original poster didn't
specify that he wanted to become root.

Running a command as a different user is useful for other cases
besides running as root. For instance, your web server's documents
directory may be owned by a www user who doesn't have a normal login
shell. If you're on your 'regular' user and need to edit a document
it's quite handy to do this:

sudo -u www emacs index.html

As for the original poster, you could use the subprocess module
combined with sudo to do what you want - spawn a subprocess which runs
sudo and the other program, which could itself be a python script or
anything else.

regards,
Preston

 

[Giampaolo Rodola']

Sorry for replying so late.

I'll try to describe what I'm actually trying to implement so that
maybe it can help you understand a little better.
The application is an asynchronous FTP server implementation.
I decided that it would be desirable to change the current
implementation so that every time a filesystem operation is going to
be made I
temporarily change the current process ID to reflect the current
logged-in user, execute the filesystem call and then switch back to
the original process ID.

Pseudo code:

def STOR(filename):
authorizer = UnixAuthorizer()
authorizer.impersonate_user(current_logged_in_user)
try:
f = open(filename, 'w')
finally:
authorizer.terminate_impersonation()
...

The UnixAuthorizer class is expected to provide the mechanism to
change the current user (presumably via os.setegid()/os.seteuid()) and
then switch back to the original one.
Since we're talking about an asynchronous environment I tought that
temporarily changing the process ID was the only way to do this.
I'm sincerely not skilled enough about the UNIX world to know which
are the security implications behind such an approach.
Do you think it is reasonable?


--- Giampaolo
http://code.google.com/p/pyftpdlib/

 

[Tim Roberts]

I'll try to describe what I'm actually trying to implement so that
maybe it can help you understand a little better.
The application is an asynchronous FTP server implementation.
I decided that it would be desirable to change the current
implementation so that every time a filesystem operation is going to
be made I
temporarily change the current process ID to reflect the current
logged-in user, execute the filesystem call and then switch back to
the original process ID.

You don't mean "process ID". You mean user ID and group ID. Your
fundamental concept is correct.

Pseudo code:

def STOR(filename):
authorizer = UnixAuthorizer()
authorizer.impersonate_user(current_logged_in_user)
try:
f = open(filename, 'w')
finally:
authorizer.terminate_impersonation()
...

The UnixAuthorizer class is expected to provide the mechanism to
change the current user (presumably via os.setegid()/os.seteuid()) and
then switch back to the original one.
Since we're talking about an asynchronous environment I tought that
temporarily changing the process ID was the only way to do this.
I'm sincerely not skilled enough about the UNIX world to know which
are the security implications behind such an approach.
Do you think it is reasonable?

Typically, an FTP server dedicates one thread/process per logged in
session. That process changes to the logged in user's identity as soon as
it gets the username and password, and stays there forever. There is no
need to switch back to root in between. The principle of least privilege
says you should just stay as the unprivileged user while you can.