Executing external command as another user

[cmcclain0831]

I'm fairly new to Perl, which I'm using to do sysadmin and dba stuff, and I'm consistently running into a need to execute an external command as a user different from the user executing my Perl script, with all of that user's environment variables, privileges, etc. Seems as if that should be easy, but I've done a lot of research and am not finding it so.

Specifically, I'm running an installation script, as root or admin, that copies files to various places, does chmods and chowns, etc. All of that is going fine. However, since a lot the files I'm installing are Oracle-related scripts, one or more steps involve invoking Oracle's sqlplus to run one of these scripts.

Because of Oracle's environmental requirements, I really need to "become" the OS user who is the Oracle instance owner, with all of his environment variables and privileges, for the purpose of invoking sqlplus. Simply sourcing his .bash_profile doesn't do the trick, because of the privilege issue. I also tried:

($<,$>) = (getpwnam("oracle10"),getpwnam("oracle10");

...thinking that would give me oracle10's privileges, but that doesn't seem to work, either. I'm stumped; all I really want to do is say, "For the purpose of running sqlplus right now, I am oracle10, thank you, and make me be admin again when sqlplus finishes".

I understand that there are security issues involved when you assume another user's identity; in this case, I am doing this in a closed lab environment, not production, and want to become a less-privileged user, not more-privileged.

I will appreciate any help anyone can offer; I've spent almost as much time researching and playing with this issue as I have spent on the rest of Perl.

 

[Kirsle]

system ("su -l username");

Should do the trick if you run the script as root, since root can su to anyone without a password prompt. It becomes much more difficult when you're prompted for a password.

-------------
Cuvou.com | My personal homepage
Project Fearless | My web blog

 

[MikeLacey]

($>, $<)= ... thinking that would give me oracle10's privileges"

That's what I'd have done as well.

Have you tried setting $> & $< to constants rather than using getpwnam() just to make sure that they're getting set as you expect?

Mike

When working on any project the value of other people is exactly that - they are other people, with views that don't necessarily match yours. This mismatch, between their views and the view you've been contentedly assuming is right, is where that value lies.

 

[cmcclain0831]

Mike:

Thanks for your response. Yes, I did try setting $> & $< to constants rather than using getpwnam(). What seems to be happening is that $> & $< affects the script's privileges, making them those of the user I retrieved via getpwname(), but does not affect the script's environment variables at all.

The previous response from Kirsle falls into the same category -- if privileges were the issue, it would be a solution. I need not only the user's privileges, but his environment.

None of the solutions I tried involving su worked, either. What did work -- not a perfect solution, but it worked -- is this:

@lines = system("source $ohome/\.profile; sudo -u $oname sqlplus SCOTT/TIGER \@$FILE2");

Since sudo only executes one command (and since I was desperate), I tried sourcing the user's profile BEFORE issuing the sudo, hoping that the environment variables set by sourcing his profile would be retained for purposes of the sudo command. They were. When I tried similar things with su, they didn't work because su threw me into a new shell.

Thanks again,