Impersonate another user temporarily (Unix and Windows)
billiejoex
gnewsg at gmail.com
Thu Aug 23 15:01:03 EDT 2007
On 23 Ago, 13:13, "Chris Mellon" <arka... at gmail.com> wrote:
> On 8/23/07, billiejoex <gne... at gmail.com> wrote:
>
>
>
>
>
> > On 23 Ago, 10:38, Tim Golden <m... at timgolden.me.uk> wrote:
> > > billiejoex wrote:
> > > > Hi there. I'm writing a modification for a FTP server library I'm
> > > > maintaining.
> > > > Depending on the system I'd want to temporarily impersonate the logged
> > > > user to perform actions on filesystem.
> > > > Something like:
>
> > > > try:
> > > > change_user('user', 'password')
> > > > os.rmdir('dir')
> > > > except:
> > > > print "some error"
> > > > finally:
> > > > change_user('old_user', 'password')
>
> > > > On Unix I took at look at os.seteuid() and os.setegid() functions and
> > > > I noticed they could be useful for my purpose.
> > > > On Windows I have no idea about how could I emulate a similar
> > > > behaviour.
> > > > Could someone please point me in the right direction?
>
> > > (Warning: not tried, but at least gives you the things to Google for!)
>
> > > You need the win32security module from the pywin32 extensions. [1]
> > > In particular, you want to look at the LogonUser and
> > > ImpersonateLoggedOnUser functions.
>
> > > TJG
>
> > > [1]http://pywin32.sf.net-Nascondi testo tra virgolette -
>
> > > - Mostra testo tra virgolette -
>
> > Thanks for suggestion.
> > I made it.
>
> Note that running your process as a user with enough priviledges to
> impersonate another user pretty much eliminates all the benefits of
> running as a low-priviledged user in the first place. Consider
> re-thinking your application model and having an "ftp" user instead.- Nascondi testo tra virgolette -
>
> - Mostra testo tra virgolette -
Could you be more precise?
Why it's not a good idea?
I was thinking of starting ftpd as limited user ('nobody'/'ftp' on
unix, 'Guest' on Windows), then temporary switching to another user
when I got to perform actions on file system.
Maybe you're saying that as limited user I can't do such switching?
More information about the Python-list
mailing list