UID/EUID subshell solutions

Hi,

I'm having inconsistent behaviour with running external commands as other users, and the time has apparently come to use something akin to a fork and popen3 to get something approximating consistent bahaviour.

I'm currently setting EUID and executing external commands, but some shells ignore that (which is apparently the "standard").

I need some solution that will allow me (when running as root) to run shell commands as another user and capture stdout and (hopefully) stderr. This basically means fork and run Process.uid = blah, but there's some IPC to do too.

Is there a semi-standard pattern for doing this, or does someone have some simple example code I can use?

Thanks,
Luke

···

--
  The major difference between a thing that might go wrong and a thing
  that cannot possibly go wrong is that when a thing that cannot possibly
  goes wrong goes wrong it usually turns out to be impossible to get at
  or repair. -- Douglas Adams, Mostly Harmless
  ---------------------------------------------------------------------
  Luke Kanies | http://reductivelabs.com | http://madstop.com

Luke Kanies wrote:

Hi,

I'm having inconsistent behaviour with running external commands as
other users, and the time has apparently come to use something akin
to a fork and popen3 to get something approximating consistent
bahaviour.

I'm currently setting EUID and executing external commands, but some
shells ignore that (which is apparently the "standard").

This is a very desirable shell behavior, to avoid an obvious hacker
vulnerability.

I need some solution that will allow me (when running as root) to run
shell commands as another user and capture stdout and (hopefully)
stderr. This basically means fork and run Process.uid = blah, but
there's some IPC to do too.

Is there a semi-standard pattern for doing this, or does someone have
some simple example code I can use?

`su (username) -c (command)`

···

--
Paul Lutus
http://www.arachnoid.com

This ended up being my solution:

http://madstop.com/articles/2006/12/19/shell-commands-and-uid

     def execute(command, user = nil, group = nil)
         IO.popen("-") do |f|
             if f
                 text = f.read
                 return text
             else
                 $stderr.close
                 $stderr = $stdout.dup
                 Process.uid = user if user
                 Process.gid = group if group
                 system(*command)
                 exit!
             end
         end
     end

···

On Dec 11, 2006, at 8:33 PM, Luke Kanies wrote:

Hi,

I'm having inconsistent behaviour with running external commands as other users, and the time has apparently come to use something akin to a fork and popen3 to get something approximating consistent bahaviour.

  --
  Men never do evil so completely and cheerfully as when they do it from a
  religious conviction. --Blaise Pascal
  ---------------------------------------------------------------------
  Luke Kanies | http://reductivelabs.com | http://madstop.com

Luke Kanies wrote:

I'm currently setting EUID and executing external commands, but some
shells ignore that (which is apparently the "standard").

This is a very desirable shell behavior, to avoid an obvious hacker
vulnerability.

I don't see how it's an obvious vulnerability; I thought the kernel was just as protective of UID as it as of EUID.

I need some solution that will allow me (when running as root) to run
shell commands as another user and capture stdout and (hopefully)
stderr. This basically means fork and run Process.uid = blah, but
there's some IPC to do too.

Is there a semi-standard pattern for doing this, or does someone have
some simple example code I can use?

`su (username) -c (command)`

This isn't very cross-platform, unfortunately; I'm looking more for a Ruby implementation, rather than shell, and I specifically require support on as many platforms as possible. This is for Puppet[1], which attempts to provide an abstraction layer across different *nix machines, so it's very important that it be as easy to make it work on many platforms.

1 - http://reductivelabs.com/projects/puppet

···

On Dec 11, 2006, at 9:15 PM, Paul Lutus wrote:

  --
  Like frozen sentries of the serengeti, the century-old termite mounds
  had withstood all tests of time and foe - all tests, that is, except
  the one involving drunken aardvarks and a stolen wrecking ball."
                  -- Gary Larson
  ---------------------------------------------------------------------
  Luke Kanies | http://reductivelabs.com | http://madstop.com