UID/EUID subshell solutions

Discussion in 'Ruby' started by Luke Kanies, Dec 12, 2006.

  1. Luke Kanies

    Luke Kanies Guest

    Hi,

    I'm having inconsistent behaviour with running external commands as
    other users, and the time has apparently come to use something akin
    to a fork and popen3 to get something approximating consistent
    bahaviour.

    I'm currently setting EUID and executing external commands, but some
    shells ignore that (which is apparently the "standard").

    I need some solution that will allow me (when running as root) to run
    shell commands as another user and capture stdout and (hopefully)
    stderr. This basically means fork and run Process.uid = blah, but
    there's some IPC to do too.

    Is there a semi-standard pattern for doing this, or does someone have
    some simple example code I can use?

    Thanks,
    Luke

    --
    The major difference between a thing that might go wrong and a thing
    that cannot possibly go wrong is that when a thing that cannot
    possibly
    goes wrong goes wrong it usually turns out to be impossible to get at
    or repair. -- Douglas Adams, Mostly Harmless
    ---------------------------------------------------------------------
    Luke Kanies | http://reductivelabs.com | http://madstop.com
    Luke Kanies, Dec 12, 2006
    #1
    1. Advertising

  2. Luke Kanies

    Luke Kanies Guest

    On Dec 11, 2006, at 9:15 PM, Paul Lutus wrote:

    > Luke Kanies wrote:
    >>
    >> I'm currently setting EUID and executing external commands, but some
    >> shells ignore that (which is apparently the "standard").

    >
    > This is a very desirable shell behavior, to avoid an obvious hacker
    > vulnerability.


    I don't see how it's an obvious vulnerability; I thought the kernel
    was just as protective of UID as it as of EUID.

    >> I need some solution that will allow me (when running as root) to run
    >> shell commands as another user and capture stdout and (hopefully)
    >> stderr. This basically means fork and run Process.uid = blah, but
    >> there's some IPC to do too.
    >>
    >> Is there a semi-standard pattern for doing this, or does someone have
    >> some simple example code I can use?

    >
    > `su (username) -c (command)`


    This isn't very cross-platform, unfortunately; I'm looking more for a
    Ruby implementation, rather than shell, and I specifically require
    support on as many platforms as possible. This is for Puppet[1],
    which attempts to provide an abstraction layer across different *nix
    machines, so it's very important that it be as easy to make it work
    on many platforms.

    1 - http://reductivelabs.com/projects/puppet

    --
    Like frozen sentries of the serengeti, the century-old termite mounds
    had withstood all tests of time and foe - all tests, that is, except
    the one involving drunken aardvarks and a stolen wrecking ball."
    -- Gary Larson
    ---------------------------------------------------------------------
    Luke Kanies | http://reductivelabs.com | http://madstop.com
    Luke Kanies, Dec 17, 2006
    #2
    1. Advertising

  3. Luke Kanies

    Luke Kanies Guest

    On Dec 11, 2006, at 8:33 PM, Luke Kanies wrote:

    > Hi,
    >
    > I'm having inconsistent behaviour with running external commands as
    > other users, and the time has apparently come to use something akin
    > to a fork and popen3 to get something approximating consistent
    > bahaviour.


    This ended up being my solution:

    http://madstop.com/articles/2006/12/19/shell-commands-and-uid

    def execute(command, user = nil, group = nil)
    IO.popen("-") do |f|
    if f
    text = f.read
    return text
    else
    $stderr.close
    $stderr = $stdout.dup
    Process.uid = user if user
    Process.gid = group if group
    system(*command)
    exit!
    end
    end
    end


    --
    Men never do evil so completely and cheerfully as when they do it
    from a
    religious conviction. --Blaise Pascal
    ---------------------------------------------------------------------
    Luke Kanies | http://reductivelabs.com | http://madstop.com
    Luke Kanies, Dec 19, 2006
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Tim Engler
    Replies:
    0
    Views:
    1,283
    Tim Engler
    Jan 20, 2004
  2. Martjack Ecommerce
    Replies:
    0
    Views:
    523
    Martjack Ecommerce
    Dec 22, 2009
  3. Cal Who
    Replies:
    0
    Views:
    459
    Cal Who
    Jun 9, 2010
  4. Noah Easterly

    backtick subshell

    Noah Easterly, Nov 14, 2006, in forum: Ruby
    Replies:
    5
    Views:
    164
    powlow
    Nov 23, 2006
  5. Ittay Dror
    Replies:
    1
    Views:
    125
    Ittay Dror
    Oct 21, 2008
Loading...

Share This Page