Change user on UNIX

Tim Roberts timr at probo.com
Sun Mar 30 00:48:09 CET 2008


"Giampaolo Rodola'" <gnewsg at gmail.com> wrote:
>
>I'll try to describe what I'm actually trying to implement so that
>maybe it can help you understand a little better.
>The application is an asynchronous FTP server implementation.
>I decided that it would be desirable to change the current
>implementation so that every time a filesystem operation is going to
>be made I
>temporarily change the current process ID to reflect the current
>logged-in user, execute the filesystem call and then switch back to
>the original process ID.

You don't mean "process ID".  You mean user ID and group ID.  Your
fundamental concept is correct.

>Pseudo code:
>
>def STOR(filename):
>     authorizer = UnixAuthorizer()
>     authorizer.impersonate_user(current_logged_in_user)
>     try:
>         f = open(filename, 'w')
>     finally:
>         authorizer.terminate_impersonation()
>     ...
>
>The UnixAuthorizer class is expected to provide the mechanism to
>change the current user (presumably via os.setegid()/os.seteuid()) and
>then switch back to the original one.
>Since we're talking about an asynchronous environment I tought that
>temporarily changing the process ID was the only way to do this.
>I'm sincerely not skilled enough about the UNIX world to know which
>are the security implications behind such an approach.
>Do you think it is reasonable?

Typically, an FTP server dedicates one thread/process per logged in
session.  That process changes to the logged in user's identity as soon as
it gets the username and password, and stays there forever.  There is no
need to switch back to root in between.  The principle of least privilege
says you should just stay as the unprivileged user while you can.
-- 
Tim Roberts, timr at probo.com
Providenza & Boekelheide, Inc.



More information about the Python-list mailing list