15

On a Linux box I want to run a Python script as another user.

I've already made a wrapper program in C++ that calls the script, since I've realized that the ownership of running the script is decided by the ownership of the python interpreter. After that I change the C++ program to a different user and run the C++ program.

This setup doesn't seem to be working. Any ideas?

Improve this question
5
  • Do your other users not have the permissions to run python? Commented Sep 30, 2009 at 16:35
  • 3
    It's not a matter of running Python. The script needs to do things that need certain permissions. I don't want to give all users those permissions. The script is acting sort of like a controlled permissions giver, but first the script needs permissions itself... Commented Sep 30, 2009 at 16:37
  • It sounds like you want to use the setuid bit Commented Sep 30, 2009 at 16:40
  • Keep in mind that this won't change all of your environment variables. ie ~/ will still expand to /home/old_user/, which could cause some trouble further down the road. Commented May 1, 2014 at 21:34
  • @johannix I also came across with the exact problem. Did you find any workaround? Commented Aug 1, 2014 at 4:55

3 Answers 3

Reset to default
16

You can set the user with os.setuid(), and you can get the uid with pwd. Like so:

>>> import pwd, os
>>> uid = pwd.getpwnam('root')[2]
>>> os.setuid(uid)

Obviously this only works if the user or executable has the permission to do so. Exactly how to set that up I don't know. Obviously it works if you are root. I think you may need to the the setuid flag on the Python executable, and that would leave a WHOPPING security hole. possible that's permittable if the user you setuid too is a dedicated restricted user that can't do anything except whatever you need to do.

Unix security, based on users and setuiding and stuff, is not very good or practical, and it's easy to leave big security holes. A more secure option is actually to do this client-server typish, so you have a demon that does everything, and the client talks to it. The demon can then run with a higher security than the users, but the users would have to give a name and password when they run the script, or identify themselves with some public/private key or somesuch.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

I used this code in a script run from an Ubuntu init script, and it did NOT require the setuid bit on the python executable.
It works without setuid bit if you are root or sudo the script.
0

Give those users the ability to sudo su $dedicated_username and tailor the permissions on your system so that $dedicated_user has sufficient, but not excessive, access.

Improve this answer

Comments

-1

Use the command sudo.

In order to run a program as a user, the system must "authenticate" that user.

Obviously, root can run any program as any user, and any user can su to another user with a password.

The program sudo can be configured to allow a group of users to sudo a particular command as a particular user.

For example, you could create a group scriptUsers and a user scriptRun. Then, configure sudo to let any user in scriptUsers become scriptRun ONLY to run your script.

Improve this answer

1 Comment

Can't use sudo, since the script needs to be used by other people.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.