2

I have segment of code that I'd like run as non-root. If the program is run as non-root, nothing needs to happen. But if the program is run as root, then root privileges need to be dropped, the segment of code executed, then root privileges enabled again. How do you write code for the enable/disable?

user1802143
  • 14,662
  • 17
  • 46
  • 55
  • This cannot be done in a safe way without forking a new process. If you drop root privileges in a way where they can be re-gained there's nothing to prevent an attacker who can modify the executed code to do so before doing bad stuff. – ThiefMaster Nov 06 '12 at 06:31
  • you can launch `python` process as `root` (sudo python) – Dmitry Zagorulkin Nov 06 '12 at 07:11

2 Answers2

0

Try os.getuid() and os.setuid(). You can use them to switch user within your script.

ben author
  • 2,855
  • 2
  • 25
  • 43
  • Probably you would need to use [`os.geteuid()`](http://docs.python.org/2/library/os.html#os.geteuid) and [`os.seteuid()`](http://docs.python.org/2/library/os.html#os.seteuid) instead. Otherwise, root privileges cannot be obtained again after dropping them. – del Nov 06 '12 at 06:46
0

Try the following:

import os
print "user who executed the code: %d" % os.getuid()
print "current effective user: %d" % os.geteuid()
if os.getuid() == 0:
    os.seteuid(65534) # user id of the user "nobody"
    print "current effective user: %d" % os.geteuid()
    # do what you need to do with non-root privileges here, e.g. write to a file
    print >> open("/tmp/foobar.txt", "w"), "hello world"
    os.seteuid(0)
print "current effective user: %d" % os.geteuid()

Running this as root outputs:

user who executed the code: 0
current effective user: 0
current effective user: 65534
current effective user: 0
del
  • 6,341
  • 10
  • 42
  • 45
  • @user1802143 - You can check the output of `os.getuid()`. If it's equal to zero, then root executed the code. I've updated the example to demonstrate this. – del Nov 06 '12 at 22:25
  • I'm interested in the user who called sudo. When sudo is used, the uid is 0. Is there a way to get the uid of the caller of sudo? – user1802143 Nov 06 '12 at 23:14
  • @user1802143 - Look at the [`SUDO_UID` environment variable](http://www.sudo.ws/sudo/sudo.man.html#sudo_uid), i.e. `print os.environ['SUDO_UID']` – del Nov 06 '12 at 23:26
  • I used os.seteuid(int(os.getenv("SUDO_UID"))) to disable and os.seteuid(0) to enable but it doesn't seem to work. Ideally I'd like to make so that it was as if the user did not even use sudo. – user1802143 Nov 07 '12 at 00:32
  • The code tries to create/write a file. When I run it without the sudo command everything works fine. But when I use the sudo command and the aforementioned techniques, I get permission denied when it comes to the file. – user1802143 Nov 07 '12 at 00:51
  • @user1802143 - Have you checked that the ownership & permissions of the directory where you are trying to create the file are correct? I have updated the code to write to a file in `/tmp`. Does this work for you? – del Nov 07 '12 at 01:12
  • I am also writing a file in /tmp. What are the correct ownership & permissions? I assumed there were correct since the non-sudo command worked. – user1802143 Nov 07 '12 at 01:19
  • @user1802143 - Maybe the file you are attempting to create already exists and you don't have write permissions to it, have you checked that? Does the sample code I posted work for you? – del Nov 07 '12 at 01:30