如何在Linux中模拟 [英] how to impersonate in linux
问题描述
我已经用python和PyQt开发了一个多平台桌面应用程序,并且我想在其中实现模拟的概念.我有一个要求,用户选择一个文件,应用程序将检查命名约定和其他内容.如果一切都很好,则它将文件复制到服务器中,其中只有模拟用户可以说(user123)具有完全权限,而其他用户仅具有读取权限.
I have developed a multi-platform desktop application in python and PyQt and in it i want to implement the concept of impersonation. I have a requirement where user selects a file and the the application will check for naming conventions and other things. If everythin is fine then it copies the file in a server where only impersonate user lets say (user123) has full permissions other has only read permissions.
我可以使用win32security和win32con
立即登录
Self.handel=win32security.LogonUser(self.loginID,self.domain,self.password,win32con.LOGON32_LOGON_INTERACTIVE,win32con.LOGON32_PROVIDER_DEFAULT)
win32security.ImpersonateLoggedOnUser(self.handel)
并恢复到用户状态
win32security.RevertToSelf()
任何人都可以建议在Linux(RHEL 6)下实现此目标的方法.
Can anyone suggest an approach to this under Linux (RHEL 6).
推荐答案
首先,考虑您的任务是否实际上需要操作系统级别的模拟.
First, think whether your task actually needs OS-level impersonation.
-
如果您使用例如PySmbClient可以访问Windows文件共享,然后您可以自己管理所有连接,并且可以为smbclient提供不同的凭据.
If you use e.g. PySmbClient to access a Windows file share, then you manage all connections yourself and you can just give different credentials to smbclient.
如果您使用PyKDE4.kio,据我所知,同样适用(KIO使用smbclient).
If you use PyKDE4.kio, as far as I know the same applies (KIO uses smbclient).
如果通过现有的系统级安装访问文件服务器,则没有Windows中的实际模拟"功能;只需更改流程即可有效UID" 通常只有在程序具有 root 特权(或Linux上与root等效的CAP_SETUID特权)时才能完成.
If you access the file server over an existing system-level mount, there is no actual "impersonation" as in Windows; it is done by simply changing the process' "effective UID" and generally can be done only if the program has root privileges (or the root-equivalent CAP_SETUID privilege on Linux).
uid = pw.getpwnam(username).pw_uid
os.seteuid(uid)
...
os.seteuid(0)
(不能保证该方法可以将凭据存储在内核密钥环中的网络文件系统正常工作.我还没有答案.)
(This is not guaranteed to work with network filesystems that store credentials in kernel keyrings... I don't yet have an answer for that.)
但是,大多数桌面程序没有root特权(不应该拥有root特权).在这种情况下,seteuid()不可用,特权操作通常由特权守护程序完成,桌面应用程序使用某种形式的IPC(通常是D-Bus)与该特权守护程序联系.
However, most desktop programs do not have root privileges (and should not have them). In that case, seteuid() is unavailable, and privileged actions are normally done by a privileged daemon that the desktop app contacts using some form of IPC (usually D-Bus).
这篇关于如何在Linux中模拟的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
