challenging problem for changing to a dedicated non-privileged user within a script.

Piet van Oostrum piet at cs.uu.nl
Thu Jul 23 13:25:48 EDT 2009 

>>>>> Krishnakant <hackingkk at gmail.com> (K) wrote:

>K> On Thu, 2009-07-23 at 13:50 +0200, paul wrote:
>>> If the user running python program is allowed to call setuid() then yes.
>>> 
>K> NO, i don't think i can do that.  I am getting opperation not permitted.

>K> Any ways I think probably subprocess will have to sort it out.

>>> Did you try running "sudo -u postgres blabla" with subprocess?
>>> 
>K> Yes, but still not got the intended result which is now obvious.
>>> > 2. now execute the python code for connecting to the postgresql
>>> > database.
>>> > In the second point I actually want to execute python code not shell
>>> > level command so will the sudo -u in the subprocess.Popen change the
>>> > user in the script?
>>> No, as the name "subprocess" suggests you are spawning a new process 
>>> which gets another uid through sudo. This does not affect the parent 
>>> process.
>>> 
>K> Ok then here is the work-around which I am thinking to try, Plese tell
>K> me if it is correct.
>K> I will let that subprocess start python inthe background and execute the
>K> connecting code to postgresql including importing the pygresql library.
>K> Then I will create the connection and cursor objcts in that subprocess.
>K> But my concern is, will the connection object in the child process
>K> (subprocess) be available to the parrent process?

No. However it is still not clear why you want to run under the postgres
user id. Why can't the original process not do the postgres connection?

If that is really impossible, then you might start the new process with
sudo and let it do a socket tunnelling to postgress, i.e. make a
connection to the postgres server and a socket connection to the
original Python script, and copy everything from one socket to the other
- in both directions. However this can also be done with a ssh tunnel
which might be simpler.
-- 
Piet van Oostrum <piet at cs.uu.nl>
URL: http://pietvanoostrum.com [PGP 8DAE142BE17999C4]
Private email: piet at vanoostrum.org

More information about the Python-list mailing list