tags:

views:

32

answers:

2
+1  Q: 

UNIX equivalent of CreateProcessWithLogonW

What I have: the login/password for a UNIX user (alice).

Who I am: some other UNIX user (bob).

What I need to do: start a process programmatically (foo) as the other user (alice).

What the end result should be: the process is running and displays alice as the owner if a "ps" is done. For purposes of privileges, acts as if alice started it.

Basically I need to write some code that does the equivalent of "su -c 'foo' - alice"

Ideally I don't want to have to set any special bits or permissions on the executable in question (foo).

+2  A: 

I see only two possibilites to start a process as alice on UNIX/Linux from a process owned by bob that cannot setuid itself.

  • call a setuid program
  • communicate with an already running process that can start processes as alice
Peter G.  2010-07-20 17:32:36
+1: noting that in the second case, the process would have to be already running as either alice or root. A third possibility is maaaaaaaybe to fork and exec `login`, but since that _really_ wants to talk to a terminal, I suspect that would get very messy very quickly.
Norman Gray  2010-07-20 21:06:57
+1  A: 

Never say never, but I think this is probably impossible in any unix-portable way. The setuid(2) call (and friends) succeeds only if the current uid is either the same as the target one (modulo some subtleties about effective and real uids) or if the current uid is 0 (ie, root). That is, you can't change from one non-root uid to another.

Having the password doesn't help. The password is used for the initial authentication to the system, whether it be via login, ssh, or some GUI login dialogue, but the password is the concern of those programs alone, and not of the system as such. Put another way, the kernel doesn't care about your password, and it's the kernel that you have to talk to if you want to change your uid.

That is, you're probably therefore obliged to consider indirect routes, such as the ones Peter G mentioned.

(Yes, some unixes may have a way of doing this, but that's platform-specific).

I know I'm not adding any positive advice here, only the possibly time-saving negative advice of 'nothing to see here; move right along...'

Norman Gray  2010-07-20 21:04:24

related questions

Obscuring network proxy password in plain text files on Linux/UNIX-likes
Why doesn't **find** find anything?
Getting stack traces on Unix systems, automatically
Differences between unix and windows files
How do you do a case insensitive search using a pattern modifier using less ?
Using Visual Studio to develop for C++ for Unix
How do I generate ASCII codes 2 and 3 in a Bash command line?
What's in your .procmailrc
Allow user to set up an SSH tunnel, but nothing else
What is PHP Safe Mode GID?
How to avoid redefining VERSION, PACKAGE, etc.
How can I encode xml files to xfdl (base64-gzip)?
Faster way to find duplicates conditioned by time
Date arithmetic in Unix shell scripts
Using Xming X Window Server over a VPN
Windows Equivalent of 'nice'
How do I configure and communicate with a serial port?
Choosing a static code analysis tool
What should a longtime Windows user know when starting to use Linux?
How do I use (n)curses in Ruby?
Process size on UNIX
Getting root permissions on a file inside of vi?
GTK implementation of MessageBox
Is gettimeofday() guaranteed to be of microsecond resolution?
Fastest way to get value of pi