Doing things as a different user

aufflick has asked for the wisdom of the Perl Monks concerning the following question:

I need to do something as the logged in user, rather than as the webserver user.

Specifically I need to perform some Rational ClearCase modifications as their unix user to maintain the audit trail.

I have tried using su -c in a two-way pipe, but it insists that stdin must be a tty. sudo is not really feasable because it would need to be rolled out to a large number of linux and solaris boxes (which don't currently have it).

Neither CPAN or PerlMonks appear to have any options for a "run as" type module or snippet.

PS: speaking of searchin PerlMonks, I have made a PerlMonks mozilla search plugin which should be available from the mozilla search plugin download page soon.

Update: I notice that the Expect modules uses IO::Tty which I guess I need to communicate with an interactive process like su. Of course I could use Expect.pm, but I want to steer away from this whole approach if I can and am looking for ideas, but in retrospect, somthing somewhere has to be a setuid binary, and it may as well be su...

Comment on Doing things as a different user

Replies are listed 'Best First'.
•Re: Doing things as a different user by merlyn (Sage) on Sep 27, 2004 at 00:14 UTC
I cannot tell you how dangerous this is. Probably, the best way would be to write a request into a database that has the specific required changes, then have a root daemon vet the changes then fork a child that becomes the requested user. You've got to have an intermediate like that so that you don't have a setuid root web process, which opens up many cans of worms. Even then, how are you authenticating the user to the web process? I can't imagine having a low-privileged user temporarily have authentication credentials to pass on to the database either. Ugh. Really, why are you doing this from the web? -- Randal L. Schwartz, Perl hacker Be sure to read my standard disclaimer if this is a reply.	[reply]
Re^2: Doing things as a different user by aufflick (Deacon) on Sep 27, 2004 at 01:04 UTC
On consideration, we have decided to maintaing an audit trail by including the username in the supplied comments instead. It's not as robust auditing, but it's a load less pain. And despite my posturing I also intensly dislike invoking anything setuid from a webserver. Of course if the clients are windows, I could just embed the executable code in a jpeg ;) PS: I'm honoured to have the great Randal reply to my question - and in Australian Standard time too!	[reply]
Re^2: Doing things as a different user by aufflick (Deacon) on Sep 27, 2004 at 00:40 UTC
Well, it's an intranet on a private lan, and the logged in users have already authenticated with their database password (which by the magic of LDAP is the same as their unix password). The main problem is that there is no way (I can find) to coerce Rational ClearCase to log an action as any user other than the euid. I'm not exposing any security problems I can see, because the username and password they supplied on login actually allows them to login to th unix box in question via ssh if they really wanted to.	[reply]
Re: Doing things as a different user by Zaxo (Archbishop) on Sep 27, 2004 at 00:11 UTC
I like to use the suExec option of Apache httpd. That will take care of your problem, and permits better use of unix file system security. After Compline, Zaxo	[reply]
•Re^2: Doing things as a different user by merlyn (Sage) on Sep 27, 2004 at 00:21 UTC
I don't think that'll help here. From what I could gather, the specific user ID for each request will be different, based on some auth credentials. suExec makes a process that is always the user that owns the CGI script. -- Randal L. Schwartz, Perl hacker Be sure to read my standard disclaimer if this is a reply.	[reply]