UID/EUID subshell solutions

Hi,

I'm having inconsistent behaviour with running external commands as other users, and the time has apparently come to use something akin to a fork and popen3 to get something approximating consistent bahaviour.

I'm currently setting EUID and executing external commands, but some shells ignore that (which is apparently the "standard").

I need some solution that will allow me (when running as root) to run shell commands as another user and capture stdout and (hopefully) stderr. This basically means fork and run Process.uid = blah, but there's some IPC to do too.

Is there a semi-standard pattern for doing this, or does someone have some simple example code I can use?

Thanks,
Luke

Luke Kanies wrote:

Hi,

I'm having inconsistent behaviour with running external commands as
other users, and the time has apparently come to use something akin
to a fork and popen3 to get something approximating consistent
bahaviour.

I'm currently setting EUID and executing external commands, but some
shells ignore that (which is apparently the "standard").

This is a very desirable shell behavior, to avoid an obvious hacker
vulnerability.

I need some solution that will allow me (when running as root) to run
shell commands as another user and capture stdout and (hopefully)
stderr. This basically means fork and run Process.uid = blah, but
there's some IPC to do too.

Is there a semi-standard pattern for doing this, or does someone have
some simple example code I can use?

`su (username) -c (command)`

This ended up being my solution:

http://madstop.com/articles/2006/12/19/shell-commands-and-uid

     def execute(command, user = nil, group = nil)
         IO.popen("-") do |f|
             if f
                 text = f.read
                 return text
             else
                 $stderr.close
                 $stderr = $stdout.dup
                 Process.uid = user if user
                 Process.gid = group if group
                 system(*command)
                 exit!
             end
         end
     end

Luke Kanies wrote:

I'm currently setting EUID and executing external commands, but some
shells ignore that (which is apparently the "standard").

This is a very desirable shell behavior, to avoid an obvious hacker
vulnerability.

I don't see how it's an obvious vulnerability; I thought the kernel was just as protective of UID as it as of EUID.

I need some solution that will allow me (when running as root) to run
shell commands as another user and capture stdout and (hopefully)
stderr. This basically means fork and run Process.uid = blah, but
there's some IPC to do too.

Is there a semi-standard pattern for doing this, or does someone have
some simple example code I can use?

`su (username) -c (command)`

This isn't very cross-platform, unfortunately; I'm looking more for a Ruby implementation, rather than shell, and I specifically require support on as many platforms as possible. This is for Puppet[1], which attempts to provide an abstraction layer across different *nix machines, so it's very important that it be as easy to make it work on many platforms.

1 - http://reductivelabs.com/projects/puppet