Becoming root within a Python script

François Pinard pinard at iro.umontreal.ca
Fri Sep 24 10:34:08 EDT 1999 

wware-nospam at world.std.com (Will Ware) writes:

> : I would like, within a executing Python started as non-root, ask for
> : the root password, and then, continue executing part of the script
> : while being root, becoming the previous again after some sub-job is done.

> The os.popen().readline()[:-1] construction is pretty ugly.
> Is there a better way to do it?

Starting from your idea and working out from there, I rewrote it like this:

        import pwd, os
        self.current_user = pwd.getpwuid(os.geteuid())[0]

> [...] I did find a pretty simple version that seems to work well, at
> least on my Linux box [...]

Your solution is not fully general, but my set of problems could be bent
to fit, I believe, as I may (in my case) postpone `su-ed' parts until the
end of everything else.  So, I wrote (still untested):


class Job:

    def __init__(self, allowed):
        import pwd

        self.allowed = allowed
        self.needed_users = []
        self.current_user = pwd.getpwuid(os.geteuid())[0]

    def when(self, user):
        if user == self.current_user:
            return 1
        if user not in self.needed_users:
            self.needed_users.append(user)
        return 0

    def launch_subjobs(self):
        if self.needed_users:
            arglist = sys.argv[:]
            arglist.insert(1, '--subjob')
            argstring = join(arglist)
            for user in self.needed_users:
                execute('su %s -c "%s"' % (user, argstring))


To use it, I modified main() so it looks like:


def main(*arguments):
    global job

    if len(arguments) > 0 and arguments[0] == '--subjob':
        job = Job(0)
        del arguments[0]
    else:
        job = Job(1)

    # The rest of main() fits here...

    if job.allowed:
        job.launch_subjobs()


(To interpret what are the arguments of main(), I should say I took the
habit of writing:

if __name__ == '__main__':
    apply(main, sys.argv[1:])

as this is what I found the most convenient for interactive testing.)


To use all the above, I had to revise the application to check `job.allowed'
for the main part of the job or `job.when(USER)' for those parts requiring
a specific USER, as appropriate.  For example:

    def after_step(self):
        if job.allowed:
            execute('make')
        if job.when('root'):
            execute('make install')
            execute('cp etc/etcscreenrc /usr/local/etc/screenrc')
            execute('cat terminfo/screencap >> /etc/termcap')


This requires some care as the proper state should be restored while being
in subjobs.  But I guess it may be worked out, and is acceptably neat.

-- 
François Pinard   http://www.iro.umontreal.ca/~pinard

More information about the Python-list mailing list