RDA Python Package to setuid for program executions as an effective or common user

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for zaihuaji from gravatar.com zaihuaji
Meta

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License
  • Requires: Python >=3.7
Classifiers
Report project as malware

Project description

RDA Python package, including a C code wrapper, to execute commandline applications via setuid for effective and common user names.

Overview

rda_python_setuid provides a C binary (pywrapper) that acquires a setuid effective user, then execvs a Python entry point script. This allows Python programs to run as a designated common user (e.g. gdexdata) without requiring sudo access.

Two modes are supported:

  • Mode 1 (CommonUser program): a symlink dsarch -> pywrapper runs setuid_dsarch as the common user.
  • Mode 2 (pgstart specialist): a copy pgstart_zji runs any command as specialist zji via pgstart.py, restricted to authorized users.

Two Python entry points are packaged alongside the C wrapper:

  • pywrapper.py — the default fallback target executed when pywrapper.c cannot resolve a matching setuid_<program> entry point. Acquires the effective UID via PgLOG.set_suid(), prints the caller's real and effective user names, and shows the pyproject.toml snippet plus the pywrapper-install -l <program> command needed to wrap a new script. Diagnostic flags -env, -inc, and -plg dump the environment variables, sys.path, and PGLOG dictionary respectively — handy for verifying the setuid environment before wiring up a real program.

  • pgstart.py — the Mode 2 launcher invoked through a pgstart_<USER> copy of pywrapper. Reads the real/effective UIDs from PGLOG, then permits execution only if the real user matches the effective user or the shared GDEX common user (PGLOG['GDEXUSER']); unauthorized callers receive an informational message and exit. After authorization it parses leading flag tokens — -bg (background via subprocess.Popen), -fg (explicit foreground, default), -cwd <dir> (chdir before exec), and the same -env/-inc/-plg diagnostics as pywrapper.py — and then runs the remaining arguments as a command (subprocess.run/Popen) under the effective UID, logging a host/program/timestamp/user line to pgstart.log.

Dependency requirement

Any Python package whose programs are to be run via the setuid mechanism must declare rda_python_setuid as a dependency in its pyproject.toml:

[project]
dependencies = [
  "rda_python_setuid",
  ...
]

It must also register each wrapped program's connector entry point with a setuid_ prefix:

[project.scripts]
"setuid_dsarch" = "rda_python_dsarch.dsarch:main"

pip install then places setuid_dsarch in the environment's bin/ directory automatically. pywrapper-install -l/--link creates the symlink dsarch -> pywrapper; running dsarch goes through the setuid wrapper, which execs setuid_dsarch as CommonUser.

Environment setup

Option A — Python venv (DECS machines)

python3 -m venv $ENVHOME          # e.g. /glade/u/home/gdexdata/gdexmsenv
source $ENVHOME/bin/activate
pip install rda_python_setuid rda_python_dsarch ...

Option B — Conda (DAV/Casper)

conda create -n pg-gdex python=3.10
conda activate pg-gdex
pip install rda_python_setuid rda_python_dsarch ...

The conda environment is typically at /glade/work/gdexdata/conda-envs/pg-gdex.

Installation

After setting up the environment and installing packages, run pywrapper-install with no arguments to display the full user guide:

pywrapper-install

Full setuid setup (requires sudo access to CommonUser)

# 1. Install the target package (pulls in rda_python_setuid automatically):
pip install rda_python_dsarch

# 2. Compile pywrapper C binary (once per environment):
pywrapper-install -c|--compile

# 3. Wire up each program as a setuid entry:
pywrapper-install -l|--link dsarch

# 4. Optionally, allow a specialist to run commands as themselves:
pywrapper-install -p|--pgstart -u|--user zji

Simple install (no sudo required, runs as current user)

Users who do not need the setuid mechanism can skip steps 2–4 and create a direct symlink from dsarch to setuid_dsarch:

pip install rda_python_dsarch
pywrapper-install -l|--link dsarch -s|--simple

Runtime flow

user runs:  dsarch [args]
              |  (symlink -> pywrapper, setuid bit -> EUID=gdexdata)
pywrapper.c:  execv(bin/setuid_dsarch, args)
setuid_dsarch: calls dsarch:main() as gdexdata

Github

https://github.com/NCAR/rda-python-setuid

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for zaihuaji from gravatar.com zaihuaji
Meta

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License
  • Requires: Python >=3.7
Classifiers

Release history Release notifications | RSS feed

This version

1.0.9

1.0.8

1.0.7

1.0.6

1.0.5

1.0.4

1.0.3

1.0.2

1.0.1

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

rda_python_setuid-1.0.9.tar.gz (12.0 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

rda_python_setuid-1.0.9-py3-none-any.whl (13.5 kB view details)

Uploaded Python 3

File details

Details for the file rda_python_setuid-1.0.9.tar.gz.

File metadata

  • Download URL: rda_python_setuid-1.0.9.tar.gz
  • Upload date:
  • Size: 12.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for rda_python_setuid-1.0.9.tar.gz
Algorithm Hash digest
SHA256 c51343fe2e34a0b7f02c023c32a587eb43d11fda42d000e9e7d55f49ac2fb752
MD5 da15a650458332564010224a16e68473
BLAKE2b-256 a1fbd737ffd78c8225888e94eae0a7865265847ab4b36ee514939e6ada9e6671

See more details on using hashes here.

Provenance

The following attestation bundles were made for rda_python_setuid-1.0.9.tar.gz:

Publisher: publish.yml on NCAR/rda-python-setuid

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file rda_python_setuid-1.0.9-py3-none-any.whl.

File metadata

File hashes

Hashes for rda_python_setuid-1.0.9-py3-none-any.whl
Algorithm Hash digest
SHA256 ddb2822025053222e32e6c420f92b887b81a09856e225a66aec1f5249a0801a1
MD5 cad741a3b6f5c51c9ac88c55f6d106e2
BLAKE2b-256 ce61107b90cc243892b6fdebab253f1b38c4df3dcd3d4013d0b7cdd32fa8ccc4

See more details on using hashes here.

Provenance

The following attestation bundles were made for rda_python_setuid-1.0.9-py3-none-any.whl:

Publisher: publish.yml on NCAR/rda-python-setuid

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page