x
login Signup

User impersonation: how do you mimic the exact environment of the user you're impersonating?

We need to add profile like information (path settings, env variables) because when the agent executes the command (using user’s credentials) things are not running same as if the user had logged into the machine. Is there anyway to achieve the same effect of running on the machine with a process that mimics a process as if the user is logged into the machine (so basically running from the agent is identical as if I would log into a machine and run the same command)? We are seeing this on linux machines, and on linux the agent is installed as a deamon process.

avatar image By tanay ♦ 3.4k asked Mar 12, 2015 at 04:01 PM
more ▼
(comments are locked)
10|750 characters needed characters left

1 answer: sort voted first

Good question, but not an easy one to answer. One of the problems is that "identical" is easy to say, but difficult to determine, and moreover changes over time. For example, many systems have differing environments for the same user in different situations -- Windows systems offer a "roaming" profile, for example. Linux systems, depending on your shell, may run different scripts upon login depending on whether the user is considered to be "interactive" or not. The latter is particularly problematic because users tend to test things when logged in interactively, unaware that key settings in their environment that they've set may be absent when running things as a daemon process under the same id.

It's also been my experience that users change things - sometimes that means that the "service account" under which your daemon processes run has become stale, and lacks the updated paths, settings, etc that users have. Or it can mean that a well-meaning user has changed something in a shared account and broken your automation.

The best practice is simply to not rely on the environment as set by user's startup scripts. Either set the environment explicitly for each step (which sounds harder than it is), or use controlled service accounts to run things where a knowledgeable individual manages a minimalistic set of login scripts.

(The above is one person's opinion, other's may have different viewpoints - I'm eager to see what others have tried and found to be useful!)

avatar image By mike westerhof 2.8k answered Mar 12, 2015 at 07:31 PM
more ▼
(comments are locked)
10|750 characters needed characters left
Your answer
toggle preview:

Up to 8 attachments (including images) can be used with a maximum of 524.3 kB each and 1.0 MB total.

Follow this question


Topics:

x1006
x16
x12

asked: Mar 12, 2015 at 04:01 PM

Seen: 713 times

Last Updated: Mar 12, 2015 at 04:01 PM

Related Questions