How to determine what user and group a Python script is running as?
Question:
I have a CGI script that is getting an "IOError: [Errno 13] Permission denied"
error in the stack trace in the web server’s error log.
As part of debugging this problem, I’d like to add a little bit of code to the script to print the user and (especially) group that the script is running as, into the error log (presumably STDERR).
I know I can just print the values to sys.stderr
, but how do I figure out what user and group the script is running as?
(I’m particularly interested in the group, so the $USER
environment variable won’t help; the CGI script has the setgid bit set so it should be running as group “list” instead of the web server’s “www-data” – but I need code to see if that’s actually happening.)
Answers:
You can use the following piece of code:
import os
print(os.getegid())
os.getgid()
and os.getuid()
can be useful. For other environment variables, look into os.getenv
. For example, os.getenv('USER')
on my Mac OS X returns the username. os.getenv('USERNAME')
would return the username on Windows machines.
import os, getpass
print getpass.getuser()
Consider the following script.
---- foo.py ----
import os, getpass
print "Env thinks the user is [%s]" % (os.getlogin());
print "Effective user is [%s]" % (getpass.getuser());
Consider running the script.
$ python ./foo.py
results in
Env thinks the user is [jds]
Effective user is [jds]
now run
$ sudo -u apache python ./foo.py
results in
Env thinks the user is [jds]
Effective user is [apache]
As you can see, you these 2 calls os.getlogin()
and getpass.getuser()
are not the same thing.
The underlying principle is how linux/and other unix’s manages the running user.
Consider
$ id -u
1000
vs the effective id of the running process.
$ sudo -u apache id -u
33
Note: this is exactly what web servers are doing when they start up. They are creating a sandbox (by forking/divorcing the psudo terminal etc),
and running as another user. For an in-depth account of what is going on here: see the chapter on ‘daemon processes’ in the Advanced Programming in the UNIX environment book.
Another good thread on the subject.
I have a CGI script that is getting an "IOError: [Errno 13] Permission denied"
error in the stack trace in the web server’s error log.
As part of debugging this problem, I’d like to add a little bit of code to the script to print the user and (especially) group that the script is running as, into the error log (presumably STDERR).
I know I can just print the values to sys.stderr
, but how do I figure out what user and group the script is running as?
(I’m particularly interested in the group, so the $USER
environment variable won’t help; the CGI script has the setgid bit set so it should be running as group “list” instead of the web server’s “www-data” – but I need code to see if that’s actually happening.)
You can use the following piece of code:
import os
print(os.getegid())
os.getgid()
and os.getuid()
can be useful. For other environment variables, look into os.getenv
. For example, os.getenv('USER')
on my Mac OS X returns the username. os.getenv('USERNAME')
would return the username on Windows machines.
import os, getpass
print getpass.getuser()
Consider the following script.
---- foo.py ----
import os, getpass
print "Env thinks the user is [%s]" % (os.getlogin());
print "Effective user is [%s]" % (getpass.getuser());
Consider running the script.
$ python ./foo.py
results in
Env thinks the user is [jds]
Effective user is [jds]
now run
$ sudo -u apache python ./foo.py
results in
Env thinks the user is [jds]
Effective user is [apache]
As you can see, you these 2 calls os.getlogin()
and getpass.getuser()
are not the same thing.
The underlying principle is how linux/and other unix’s manages the running user.
Consider
$ id -u
1000
vs the effective id of the running process.
$ sudo -u apache id -u
33
Note: this is exactly what web servers are doing when they start up. They are creating a sandbox (by forking/divorcing the psudo terminal etc),
and running as another user. For an in-depth account of what is going on here: see the chapter on ‘daemon processes’ in the Advanced Programming in the UNIX environment book.
Another good thread on the subject.