Wrote a script to insulate commands, would like to be sure it'ssecure

Hi !
Please excuse my bad English ;-)
My initial problem was to run commands provided by non-trusted users
who do not have a local shell account. I also needed to be able to
stop those commands by a signal.

To do so, I wrote a script which use a pool of unix accounts
hadoop{0N} and run the user-provided command under one of those
accounts. The script traps signals and kill the process group when it
receive one.

It seems to work. I took my precautions to avoid race-conditions
(using mktemp to create locks), but I'm affraid that their could other
problem which would made this script insecure.
Could you, please, give me an advice on that subject ?

Thanks,
Brice


#!/usr/bin/env bash
## This script runs insecure scripts in a sandbox provided
## by a pool of local unix accounts

## Constants
# The time we'll wait between SIGTERM and SIGKILL
readonly GRACETIME=2
# The prefix of users we are allowed to use
readonly USERNAME_PREFIX=hadoop
# Where we put our locks
readonly LCKDIR=/var/run

## Globals
# The file% were the child PGID wil be stored
declare PGID_FILE
declare CHILD_USER

## If not root, run the script with sudo.
function aquire_privileges {
if [ ${EUID} -ne 0 ]; then
sudo ${@} || exit 1
fi
}

## Get a unix account from the pool
function aquire_user {
for user in ${USERNAME_PREFIX}{015}; do
# If the user don't exist, break
id -u ${user} &>/dev/null || break
# If the user is already used, continue
mktemp "${LCKDIR}/${user}" &>/dev/null || continue
CHILD_USER=${user}
break
done
[ -z ${CHILD_USER} ] && exit 2
return 0
}

## Meant to be run at the end to clean
## process and files left behind
function finalize {
# Read child_pgid
[ -n ${PGID_FILE} ] && read child_pgid < ${PGID_FILE}
# Atomically kills all children, after giving them a warning
if [ ${child_pgid} ]; then
kill -SIGTERM -${child_pgid}
sleep ${GRACETIME}
kill -SIGKILL -${child_pgid}
unset child_pgid
fi
# Remove locks
[ -n ${PGID_FILE} ] && rm "${PGID_FILE}"
[ -n ${CHILD_USER} ] && rm "${LCKDIR}/${CHILD_USER}"
}

## Run the child after logging it's PGID in a file
function run_child {
[ -z ${PGID_FILE} ] && PGID_FILE=$(mktemp /tmp/
insulatorXXXXXXXXXXXXXXXX)
# Command will store the PGID in a file and then replace itself by
an unprivilegied shell
command="ps -o pgrp= -p \${$} ${PGID_FILE};"
command+="cd /tmp;"
command+="exec su ${CHILD_USER} -c '${*}'"
bash -c "${command}"
## More secure ?
## We prepend to stdin the user shell commmand
##cat /dev/fd/3 /dev/stdin 3<<<${*} | bash -c "${command}"
return ${?}
}

function main {
aquire_privileges ${0} ${@} || exit ${?}
# Trap all standard signals(132) and EXIT(0)
trap finalize {031}
aquire_user || exit ${?}
run_child ${*}
exit ${?}
}

main ${@}
<<<<<<<<<