Running Python scripts under a different user

[Bernard Lebel]

Hello,

I would like to know if there is a way to run a Python file under a
different user account than the one logged in. Allow me to explain.

There are a bunch of people here, they are "basic user", with limited
permissions. Basically there are locations on the network where they
can only read and execute files, but no way to write.

Now, if these users want to write or modify files and directories,
they would have to use my tools, which would control the permissions
and allow the operations under parameters that I have defined.

Currently I see two ways of accomplishing this:

1- the script changes the permissions of the locations the user is
writing to, allowing the "basic user" to write to this location, and
then restore the original permissions. What I don't like about this
one, is that if the script stops, the locations may retain the writing
permissions for the basic user.

2- the script itself runs under a account with writing privileges (the
power user), and network location permissions are not changed. If the
script crashes, well, nothing to worry about as far as I can see.


I could find in the Python library a way to do #1 easily (the os
module), but failed to find anything for #2.



Thanks in advance
Bernard

 

[Diez B. Roggisch]

Hello,

I would like to know if there is a way to run a Python file under a
different user account than the one logged in. Allow me to explain.

There are a bunch of people here, they are "basic user", with limited
permissions. Basically there are locations on the network where they
can only read and execute files, but no way to write.

Now, if these users want to write or modify files and directories,
they would have to use my tools, which would control the permissions
and allow the operations under parameters that I have defined.

Currently I see two ways of accomplishing this:

1- the script changes the permissions of the locations the user is
writing to, allowing the "basic user" to write to this location, and
then restore the original permissions. What I don't like about this
one, is that if the script stops, the locations may retain the writing
permissions for the basic user.

2- the script itself runs under a account with writing privileges (the
power user), and network location permissions are not changed. If the
script crashes, well, nothing to worry about as far as I can see.


I could find in the Python library a way to do #1 easily (the os
module), but failed to find anything for #2.

You didn't find anything there for a few reasons - mainly because if
there was anything that made a program decide for itself which rights it
wanted to run with, the whole concept of restrictive access would be
kind of useless...


And as you refrain form telling us which OS you are running under one
can only be very vague on what to suggest - UNIXish OSes have for
example the setguid-bit, sudo springs to mind and under certain desktops
there are ways to acquire root-settings (but you need a password then I
guess)

Windows I don't know so much - but there exist the possibility to make a
program run under a different user-account.

Diez

 

[Laszlo Nagy]

Hello Diez,

Please see below.

And as you refrain form telling us which OS you are running under one
can only be very vague on what to suggest - UNIXish OSes have for
example the setguid-bit, sudo springs to mind and under certain desktops
there are ways to acquire root-settings (but you need a password then I
guess)

Windows I don't know so much - but there exist the possibility to make a
program run under a different user-account.

For Windows, you can use the 'runas.exe' program. But it requires a
password too.

From what you wrote, I think that you need to change architecture. You
should write your own service rather than write tricky programs. This
way you can develop your own security system, and restrict access to
specific files/programs. You can write tools that can connect to your
service. The service program can be ran on the background, with
sufficient privileges. How does it sound?

Best,

Laszlo

 

[Bernard Lebel]

And as you refrain form telling us which OS you are running under

[Bernard] The network file server is Red Hat Enterprise 4.
The user workstation run through MS Windows XP Pro 32bit SP2,
accessing the file server through Samba.


one

can only be very vague on what to suggest - UNIXish OSes have for
example the setguid-bit, sudo springs to mind and under certain desktops
there are ways to acquire root-settings (but you need a password then I
guess)

Windows I don't know so much - but there exist the possibility to make a
program run under a different user-account.

[Bernard] Thanks anway.

Bernard

 

[Bernard Lebel]

For Windows, you can use the 'runas.exe' program. But it requires a
password too.

From what you wrote, I think that you need to change architecture. You
should write your own service rather than write tricky programs. This
way you can develop your own security system, and restrict access to
specific files/programs. You can write tools that can connect to your
service. The service program can be ran on the background, with
sufficient privileges. How does it sound?

[Bermard] Any ressource you could point me to as to write services?
I'm totally unexperienced with that.


Thanks a bunch.

Bernard

 

[Laszlo Nagy]

From what you wrote, I think that you need to change architecture. You
should write your own service rather than write tricky programs. This
way you can develop your own security system, and restrict access to
specific files/programs. You can write tools that can connect to your
service. The service program can be ran on the background, with
sufficient privileges. How does it sound?

[Bermard] Any ressource you could point me to as to write services?
I'm totally unexperienced with that.

I'm sorry, I was out of town in the weekend. You can try to write a
multi-threaded application server that provides services through TCP/IP.
Probably, the easiest to start with an existing framework:

http://twistedmatrix.com/projects/core/
http://www.webwareforpython.org/

There are many other libraries, you can look for them in the cheeseshop.

http://cheeseshop.python.org/pypi

You can also develop your own protocol with SocketServer or xmlrpc:

http://docs.python.org/lib/module-SocketServer.html
http://docs.python.org/lib/module-xmlrpclib.html


Best,

Laszlo

 

[Bernard Lebel]

Thanks Laszlo, I'll check it out.

Bernard

From what you wrote, I think that you need to change architecture. You
should write your own service rather than write tricky programs. This
way you can develop your own security system, and restrict access to
specific files/programs. You can write tools that can connect to your
service. The service program can be ran on the background, with
sufficient privileges. How does it sound?

[Bermard] Any ressource you could point me to as to write services?
I'm totally unexperienced with that.

I'm sorry, I was out of town in the weekend. You can try to write a
multi-threaded application server that provides services through TCP/IP.
Probably, the easiest to start with an existing framework:

http://twistedmatrix.com/projects/core/
http://www.webwareforpython.org/

There are many other libraries, you can look for them in the cheeseshop.

http://cheeseshop.python.org/pypi

You can also develop your own protocol with SocketServer or xmlrpc:

http://docs.python.org/lib/module-SocketServer.html
http://docs.python.org/lib/module-xmlrpclib.html


Best,

Laszlo

 

[Laurent Pointal]

Bernard Lebel a écrit :

For Windows, you can use the 'runas.exe' program. But it requires a
password too.

From what you wrote, I think that you need to change architecture. You
should write your own service rather than write tricky programs. This
way you can develop your own security system, and restrict access to
specific files/programs. You can write tools that can connect to your
service. The service program can be ran on the background, with
sufficient privileges. How does it sound?

[Bermard] Any ressource you could point me to as to write services?
I'm totally unexperienced with that.

As you run under Unix, you may be interrested into the daemon.py script.

See Unix Daemon in page http://homepage.hispeed.ch/py430/python/index.html

And too: http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/278731


See also google links for python + daemon

A+

Laurent.

 

[Mikael Olofsson]

For Windows, you can use the 'runas.exe' program. But it requires a
password too.

Or you can get a copy of the shareware program RunAsProfessional, which
I use for my kids stupid games that necessarily has to be run by an
admin. The price I paid was 10 Euro, which I still think was money well
spent. IIRC you get a 30 days trial version for free.

http://freedownloads.rbytes.net/cat/desktop/other3/runas-professional/

It does the same thing as RunAs, but you do not need to type the
password every time you run your program. Instead the password is stored
encrypted in the file you launch. I do not know what encryption is used,
or how safe the encryption is. My needs are simply to make sure that my
kids do not destroy anything by mistake. Sure, the stupid game may be
designed to destroy, but that's another issue.

/MiO