如何在python中检查另一个用户的文件权限？

Question

In python I can check whether my own user can access a file or directory using os.access . However, is it possible check whether another user can do so?

One possibility is to check the user's uid and groups against the permissions on the file:

import os, grp, pwd, stat
def user_access(uid, path, perms=os.R_OK | os.W_OK):
    stats = os.stat(path)
    # other users
    if stats.st_mode & perms == perms:
        return True
    # owner
    if stats.st_uid == uid and (stats.st_mode >> 6) & perms == perms:
        return True
    # group
    user = pwd.getpwuid(uid).pw_name
    if (stats.st_mode >> 3) & perms == perms and user in grp.getgrgid(stats.st_gid).gr_mem:
         return True
    return False
        

However, I guess this is specific to POSIX systems and I could imagine there would be edge cases it fails on. In fact, the libc manual on access specifically warns against this solution:

There is another way you could check this access, which is ... to examine the file mode bits and mimic the system's own access computation. This method is undesirable because many systems have additional access control features; your program cannot portably mimic them, and you would not want to try to keep track of the diverse features that different systems have. Using access is simple and automatically does whatever is appropriate for the system you are using.

Is there a more concise and/or robust solution for checking access of other users?

Edit 2020-12-09: Fixed bugs with the bit twiddling.

Answer 1

I came up with a bad answer. Basically, you use os.setuid to switch users, then use os.access on the file.

import multiprocessing as mp
def user_access_mp(uid, path, perms=os.R_OK | os.W_OK):
    def disguise():
        os.setuid(uid)
        allowed = os.access(path, perms)
        exit(int(allowed))

    p = mp.Process(target=disguise)
    p.start()
    p.join()
    assert p.exitcode in (0, 1)  # other values indicate unexpected signals
    return bool(p.exitcode)

Unfortunately this (1) has to be done as root, (2) requires forking, since there's no way to setuid back to the original user, and (3) is slow.

Furthermore, it doesn't even work consistently on the system I care about, a RHEL server using LDAP. In this case I get 'False' for some files that I belong to the group of. Most likely this is because the system uses LDAP for groups, so some groups don't appear in a user's group list. It might be possible to bypass this using the C API (as done to fix grp.getgrall() ), but I haven't tested. Anyways the requirement to run as root severely limits this solution.

Answer 2

I've never really tried this before, but let me know if it works:

import os
import stat

def isgroupreadable(filepath):
  st = os.stat(filepath)
  return bool(st.st_mode & stat.S_IRGRP)

If you wanted to print this, you could add at the end:

print(isgroupreadable(filepath))