Red Hat Bugzilla – Bug 116186
[RFE][PATCH] Pass original user's identity to the executed program
Last modified: 2013-07-02 18:58:58 EDT
Description of problem:
The attached patch exports the UID of the user originally executing
a tool through consolehelper in $USERHELPER_UID. This can be useful
e.g. for programs that allow users to add network shares without
knowing the administrator password, but want to restrict this only
to directories owned by the user.
Version-Release number of selected component (if applicable):
Created attachment 97809 [details]
Maybe some further work on the topic would be needed because we set
USERNAME to "root" for instance, what isn't very much consistent with
setting the environment variable containing UID. What about GID?
I think USERNAME=root is perfectly consistent with USERHELPER_UID;
the utility is running as root, after all, and (if only for security)
should be as detached from the invoking user's environment as possible.
USERHELPER_UID would be there purely for the benefit of applications
that were _designed_ to be run under userhelper.
I'm not sure when GID would be really needed:
The primary group ID can be obtained from the UID via /etc/passwd
(or whatever NSS mechanism is in use), supplementary groups can
also be enumerated when the UID is known (and I think they are
not affected by running under userhelper at all).
The only case I can think of is if the user has changed the primary
group ID using newgrp; but newgrp should Just Not Be Needed with the
private group scheme.
Anyway, adding a single line with USERHELPER_GID is not hard :)