RDA Python Package to setuid for program executions as an effective or common user

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for zaihuaji from gravatar.com zaihuaji
Meta

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License
  • Requires: Python >=3.7
Classifiers
Report project as malware

Project description

RDA Python package, including a C code wrapper, to execute commandline applications via setuid for effective and common user names.

Overview

rda_python_setuid provides a C binary (pywrapper) that acquires a setuid effective user, then execvs a Python entry point script. This allows Python programs to run as a designated common user (e.g. gdexdata) without requiring sudo access.

Two modes are supported:

  • Mode 1 (CommonUser program): a symlink dsarch -> pywrapper runs setuid_dsarch as the common user.
  • Mode 2 (pgstart specialist): a copy pgstart_zji runs any command as specialist zji via pgstart.py, restricted to authorized users.

Two Python entry points are packaged alongside the C wrapper:

  • pywrapper.py — the default fallback target executed when pywrapper.c cannot resolve a matching setuid_<program> entry point. Acquires the effective UID via PgLOG.set_suid(), prints the caller's real and effective user names, and shows the pyproject.toml snippet plus the pywrapper-install -l <program> command needed to wrap a new script. Diagnostic flags -env, -inc, and -plg dump the environment variables, sys.path, and PGLOG dictionary respectively — handy for verifying the setuid environment before wiring up a real program.

  • pgstart.py — the Mode 2 launcher invoked through a pgstart_<USER> copy of pywrapper. Reads the real/effective UIDs from PGLOG, then permits execution only if the real user matches the effective user or the shared GDEX common user (PGLOG['GDEXUSER']); unauthorized callers receive an informational message and exit. After authorization it parses leading flag tokens — -bg (background via subprocess.Popen), -fg (explicit foreground, default), -cwd <dir> (chdir before exec), and the same -env/-inc/-plg diagnostics as pywrapper.py — and then runs the remaining arguments as a command (subprocess.run/Popen) under the effective UID, logging a host/program/timestamp/user line to pgstart.log.

Dependency requirement

Any Python package whose programs are to be run via the setuid mechanism must declare rda_python_setuid as a dependency in its pyproject.toml:

[project]
dependencies = [
  "rda_python_setuid",
  ...
]

It must also register each wrapped program's connector entry point with a setuid_ prefix:

[project.scripts]
"setuid_dsarch" = "rda_python_dsarch.dsarch:main"

pip install then places setuid_dsarch in the environment's bin/ directory automatically. pywrapper-install -l/--link locks it down to chmod 700 so users cannot bypass the setuid wrapper by running it directly.

Environment setup

Option A — Python venv (DECS machines)

python3 -m venv $ENVHOME          # e.g. /glade/u/home/gdexdata/gdexmsenv
source $ENVHOME/bin/activate
pip install rda_python_setuid rda_python_dsarch ...

Option B — Conda (DAV/Casper)

conda create -n pg-gdex python=3.10
conda activate pg-gdex
pip install rda_python_setuid rda_python_dsarch ...

The conda environment is typically at /glade/work/gdexdata/conda-envs/pg-gdex.

Installation

After setting up the environment and installing packages, run pywrapper-install with no arguments to display the full user guide:

pywrapper-install

Full setuid setup (requires sudo access to CommonUser)

# 1. Install the target package (pulls in rda_python_setuid automatically):
pip install rda_python_dsarch

# 2. Compile pywrapper C binary (once per environment):
pywrapper-install

# 3. Wire up each program as a setuid entry:
pywrapper-install -l dsarch

# 4. Optionally, allow a specialist to run commands as themselves:
pywrapper-install -p -u zji

Simple install (no sudo required, runs as current user)

Users who do not need the setuid mechanism can skip steps 2–4 and create a direct symlink from dsarch to setuid_dsarch:

pip install rda_python_dsarch
pywrapper-install -l dsarch -s

Runtime flow

user runs:  dsarch [args]
              |  (symlink -> pywrapper, setuid bit -> EUID=gdexdata)
pywrapper.c:  execv(bin/setuid_dsarch, args)
              |  (chmod 700, only gdexdata can exec directly)
setuid_dsarch: calls dsarch:main() as gdexdata

Github

https://github.com/NCAR/rda-python-setuid

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for zaihuaji from gravatar.com zaihuaji
Meta

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License
  • Requires: Python >=3.7
Classifiers

Release history Release notifications | RSS feed

1.0.9

1.0.8

This version

1.0.7

1.0.6

1.0.5

1.0.4

1.0.3

1.0.2

1.0.1

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

rda_python_setuid-1.0.7.tar.gz (11.9 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

rda_python_setuid-1.0.7-py3-none-any.whl (13.4 kB view details)

Uploaded Python 3

File details

Details for the file rda_python_setuid-1.0.7.tar.gz.

File metadata

  • Download URL: rda_python_setuid-1.0.7.tar.gz
  • Upload date:
  • Size: 11.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for rda_python_setuid-1.0.7.tar.gz
Algorithm Hash digest
SHA256 97cff7be9b46af3b603f5c70e6160a9277368b387fca7f22b907caf2f1f61b2f
MD5 3fe25cfad9881e92f9ec4a01a84cbc26
BLAKE2b-256 a65f2d0ab2f0d6f59bc394b65e3dea80bdbf2cdff73607c8ddab7ee0f468f320

See more details on using hashes here.

Provenance

The following attestation bundles were made for rda_python_setuid-1.0.7.tar.gz:

Publisher: publish.yml on NCAR/rda-python-setuid

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file rda_python_setuid-1.0.7-py3-none-any.whl.

File metadata

File hashes

Hashes for rda_python_setuid-1.0.7-py3-none-any.whl
Algorithm Hash digest
SHA256 7fa34291e923d806b2630e051f95d9a55e284b43df4c6304b732ba3a0316bda5
MD5 25ac5ba86eb93dab6caddad8bc657465
BLAKE2b-256 07f6508f722bf47343c5bcce54fd4bd0a11e7a2da1b4866fec2430501b0f5f70

See more details on using hashes here.

Provenance

The following attestation bundles were made for rda_python_setuid-1.0.7-py3-none-any.whl:

Publisher: publish.yml on NCAR/rda-python-setuid

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page