Search code examples
linuxsudoapplication-serverpython-keyring

How to access files owned by a user in an application


Context

Imagine I have a application with a Python server running as user 'python-app' on Linux and a Python client also running as user 'python-app'. The user 'python-app' does not have root permissions. Thus, the Python application cannot open files it does not have access to.

The purpose of the application is to allow users to perform some task on a file they own.

Another user 'user' (who exists on the Linux host running the application) accesses the application and authenticates themselves somehow (e.g., OAuth2, username/password, whatever, not relevant for this question). That user successfully authenticates.

Now, I need the application (running as user 'python-app') to perform actions on behalf of the user 'user' using the 'user' permission set.

Question

How do I access files as the application on behalf of the user without doing sudo -u 'user' <command> and potentially having to re-enter credentials every time?

What I would love is:

  • The application authenticates the user
  • The Linux kernel passes the application a token
  • The application passes this token to the Linux Kernel along with a command to perform an action on behalf of another user
    • For example, sudo -u 'user' --token <token> <command>

Is this not possible? I feel like I am missing something and I just don't know what. I've reviewed other enterprise applications that do this, such as RStudio Server (relevant source), but I don't conceptually understand what is happening.


Solution

  • I figured out a solution. It requires that some aspect of the application run as root with sudo. The solution here is to:

    1. Run a "master service" as root (elevated privileges)
      • sudo service
    2. User accesses the "master service" from some client
    3. User authenticates (via Oauth2, PAM, whatever) themselves with "master service" via the client
    4. Upon successful authentication, the "master service":
      1. Creates a child process
      2. De-escalates or demotes privileges of the child process by:
        1. Setting the child process's user id (uid)
        2. Setting the child process's group ids to all relevant group ids (gid) for that user
      3. (Optionally) Redirects client or UI to this new child process
      4. Detaches from the child process

    A minimally working example.

    import os
    import subprocess
    import pam
    import pwd
    import grp
    from getpass import getpass
    
    def authenticate(user, pwd):
        return pam.authenticate(user, pwd, service='common-auth')
    
    def report_ids(msg):
        print(msg)
        print('uid', os.getuid())
        print('gids', os.getgroups())
    
    def spawn_process(user):
        pw_record = pwd.getpwnam(user)
        def demote():
            def result():
                report_ids('starting demotion')
    
                # set multiple group ids instead of just one
                # os.setgid(pw_record.pw_uid)
                groups = [g.gr_gid for g in grp.getgrall() if user in g.gr_mem]
                gid = pwd.getpwnam(user).pw_gid
                groups.append(grp.getgrgid(gid).gr_gid)
                try:
                    groups.remove(27) # sudo group
                except ValueError:
                    pass # Silently ignore if element not found
                os.setgroups(groups)
    
                os.setuid(pw_record.pw_gid)
                report_ids('finished demotion')
            return result
    
            # Some generic bash script with a different owner and group id
            # $ ls -l process.sh
            # -rwxrwx--- 1 user  test 28 Jan  8 15:17 process.sh
            # $ cat process.sh
            # #!/bin/bash
            # ls /home/other-user
            subprocess.Popen(["./process.sh"], preexec_fn=demote())
    
    
    
    if __name__ == "__main__":
        user = input("Username: ")
        passwd = getpass("Password: ")
        if authenticate(user, passwd) is False:
            print("Failed to authenticate user")
            exit(1)
    
        # Launch process as another user
        spawn_process(user)
        exit(0)
    

    Resources:

    I would be curious to know if others find any problems with this approach