I have a python script that is launched as root, I can't change it.
I would like to know if it's possible to exectute certain lines of this script (or all the script) as normal user (I don't need to be root to run this).
The reason is, I use notifications, and python-notify don't work in all machines in root (looks like this bug)
So ,do you know if it's possible to change it, with a subprocess, or other?
Thanks
I would like to know if it's possible to exectute certain lines of this script (or all the script) as normal user
Yes, it's possible—and a good idea.
Python's os module has a group of functions to set the real, effective, and saved user and group id, starting with setegid. What exactly each of these does is up to your platform, as far as Python is concerned; it's just calling the C functions of the same names.
But POSIX defines what those functions do. See setuid and seteuid for details, but the short version is:
seteuid or setreuid, to set just effective, or real and effective, but not saved UID. Then use the same function again to set them back to root.setresuid instead, to set all three.If you're using Python 3.1 and earlier, you don't have all of these functions. You can still use seteuid to switch effective ID back and forth, but setuid will… well, it depends on your platform, but I think most modern platforms will change saved as well as real, meaning you can't get root back. If you read the linked POSIX doc, there are a bunch of caveats and complexities in the POSIX documentation. If you only care about one platform, you probably want to read your local manpages instead, rather than reading about all of the cases and then trying to figure out which one covers your platform.
So ,do you know if it's possible to change it, with a subprocess, or other?
That isn't necessary (at least on a conforming POSIX system), but it can make things easier or safer. You can use subprocess, multiprocessing, os.fork, or any other mechanism to launch a child process, which immediately uses setuid to drop privileges—or even setresuid to give up the ability to ever restore its privilege. When that child process is done with its task, it just exits.
setuid does not allow to change back later.
os.setuid(1000), it should work ?
you need getpwnam from PWD module , for access user-id by pass username and then with os.setuid() you can change the user and Run python script as another user .
import pwd, os
uid = pwd.getpwnam('username')[2] #instead of index 2 you can use pw_uid Attribute
os.setuid(uid)
But Note that using setuid can make a enormous security hole .
If the script is running as root, you can use os.setuid to change the process's current UID to that of another user (irrevocably) or os.seteuid to change the process's current effective UID (and you can use it again afterwards to reset the EUID to root).
Note that os.setuid changes both the real and effective UID - this is the reason it is irrevocable.
os.seteuid changes the effective UID. Since the real UID will still be root, you can still switch back the EUID to root later on in the script.
setuid isn't irrevocable on a system that supports saved user ID, or on a system that follows the older POSIX standard which mandated (or allowed, I forget which) the weird SysV behavior for setuid as root, and I don't think there are too many systems that use the newer standard but don't support saved UIDs.setuid cannot be called a second time to reset back to root.setuid is irrevocable—because it sets real, effective, and saved when run as root.seteuid manpage: Unprivileged user processes may only set the effective user ID to the real user ID, the effective UID or saved set-user-ID. So, having the real UID as root is a sufficient condition. Well, that's the way I interpreted it, at least.