Impersonate another user temporarily (Unix and Windows)

[billiejoex]

Hi there. I'm writing a modification for a FTP server library I'm
maintaining.
Depending on the system I'd want to temporarily impersonate the logged
user to perform actions on filesystem.
Something like:

try:
change_user('user', 'password')
os.rmdir('dir')
except:
print "some error"
finally:
change_user('old_user', 'password')

On Unix I took at look at os.seteuid() and os.setegid() functions and
I noticed they could be useful for my purpose.
On Windows I have no idea about how could I emulate a similar
behaviour.
Could someone please point me in the right direction?


Thanks in advance

 

[Tim Golden]

Hi there. I'm writing a modification for a FTP server library I'm
maintaining.
Depending on the system I'd want to temporarily impersonate the logged
user to perform actions on filesystem.
Something like:

try:
change_user('user', 'password')
os.rmdir('dir')
except:
print "some error"
finally:
change_user('old_user', 'password')

On Unix I took at look at os.seteuid() and os.setegid() functions and
I noticed they could be useful for my purpose.
On Windows I have no idea about how could I emulate a similar
behaviour.
Could someone please point me in the right direction?

(Warning: not tried, but at least gives you the things to Google for!)

You need the win32security module from the pywin32 extensions. [1]
In particular, you want to look at the LogonUser and
ImpersonateLoggedOnUser functions.

TJG

[1] http://pywin32.sf.net

 

[billiejoex]

Hi there. I'm writing a modification for a FTP server library I'm
maintaining.
Depending on the system I'd want to temporarily impersonate the logged
user to perform actions on filesystem.
Something like:

try:
change_user('user', 'password')
os.rmdir('dir')
except:
print "some error"
finally:
change_user('old_user', 'password')

On Unix I took at look at os.seteuid() and os.setegid() functions and
I noticed they could be useful for my purpose.
On Windows I have no idea about how could I emulate a similar
behaviour.
Could someone please point me in the right direction?

(Warning: not tried, but at least gives you the things to Google for!)

You need the win32security module from the pywin32 extensions. [1]
In particular, you want to look at the LogonUser and
ImpersonateLoggedOnUser functions.

TJG

[1]http://pywin32.sf.net- Nascondi testo tra virgolette -

- Mostra testo tra virgolette -

Thanks for suggestion.
I made it.

 

[Chris Mellon]

Hi there. I'm writing a modification for a FTP server library I'm
maintaining.
Depending on the system I'd want to temporarily impersonate the logged
user to perform actions on filesystem.
Something like:

try:
change_user('user', 'password')
os.rmdir('dir')
except:
print "some error"
finally:
change_user('old_user', 'password')

On Unix I took at look at os.seteuid() and os.setegid() functions and
I noticed they could be useful for my purpose.
On Windows I have no idea about how could I emulate a similar
behaviour.
Could someone please point me in the right direction?

(Warning: not tried, but at least gives you the things to Google for!)

You need the win32security module from the pywin32 extensions. [1]
In particular, you want to look at the LogonUser and
ImpersonateLoggedOnUser functions.

TJG

[1]http://pywin32.sf.net- Nascondi testo tra virgolette -

- Mostra testo tra virgolette -

Thanks for suggestion.
I made it.

Note that running your process as a user with enough priviledges to
impersonate another user pretty much eliminates all the benefits of
running as a low-priviledged user in the first place. Consider
re-thinking your application model and having an "ftp" user instead.

 

[billiejoex]

billiejoex wrote:
Hi there. I'm writing a modification for a FTP server library I'm
maintaining.
Depending on the system I'd want to temporarily impersonate the logged
user to perform actions on filesystem.
Something like:
try:
change_user('user', 'password')
os.rmdir('dir')
except:
print "some error"
finally:
change_user('old_user', 'password')
On Unix I took at look at os.seteuid() and os.setegid() functions and
I noticed they could be useful for my purpose.
On Windows I have no idea about how could I emulate a similar
behaviour.
Could someone please point me in the right direction?
(Warning: not tried, but at least gives you the things to Google for!)
You need the win32security module from the pywin32 extensions. [1]
In particular, you want to look at the LogonUser and
ImpersonateLoggedOnUser functions.
TJG
[1]http://pywin32.sf.net-Nascondi testo tra virgolette -
- Mostra testo tra virgolette -

Thanks for suggestion.
I made it.

Note that running your process as a user with enough priviledges to
impersonate another user pretty much eliminates all the benefits of
running as a low-priviledged user in the first place. Consider
re-thinking your application model and having an "ftp" user instead.- Nascondi testo tra virgolette -

- Mostra testo tra virgolette -

Could you be more precise?
Why it's not a good idea?
I was thinking of starting ftpd as limited user ('nobody'/'ftp' on
unix, 'Guest' on Windows), then temporary switching to another user
when I got to perform actions on file system.
Maybe you're saying that as limited user I can't do such switching?

 

[Steve Holden]

Could you be more precise?
Why it's not a good idea?
I was thinking of starting ftpd as limited user ('nobody'/'ftp' on
unix, 'Guest' on Windows), then temporary switching to another user
when I got to perform actions on file system.
Maybe you're saying that as limited user I can't do such switching?

That's exactly what he's saying.

regards
Steve
--
Steve Holden +1 571 484 6266 +1 800 494 3119
Holden Web LLC/Ltd http://www.holdenweb.com
Skype: holdenweb http://del.icio.us/steve.holden
--------------- Asciimercial ------------------
Get on the web: Blog, lens and tag the Internet
Many services currently offer free registration
----------- Thank You for Reading -------------

 

[billiejoex]

That's exactly what he's saying.

regards
Steve
--
Steve Holden +1 571 484 6266 +1 800 494 3119
Holden Web LLC/Ltd http://www.holdenweb.com
Skype: holdenweb http://del.icio.us/steve.holden
--------------- Asciimercial ------------------
Get on the web: Blog, lens and tag the Internet
Many services currently offer free registration
----------- Thank You for Reading -------------- Nascondi testo tra virgolette -

- Mostra testo tra virgolette -

Uhm... I'm confused.
Which kind of aproach is generally adopted in such cases?