Identity and password management using Python on Linux

[Sam Penrose]

We write web applications in Python, which we host on Linux boxes. We're 
growing fast, and need to automate some system administration tasks. 
We'd like to use Python for this, if possible, rather than shell 
scripting or Perl. We have two problems involving Linux' handling of 
identity to which the solutions using Python are not clear.

1) We need parts of our websites to be writable by both the client and 
non-Linux-savvy members of our own staff using rather clueless GUI FTP 
tools. We'd like to give them a CGI script they can call after saving a 
file that will reset its permissions to 664, with the correct owner 
(client) and group (client+us). Our CGIs run as nobody (called by 
Apache); typically we would switch to root in the shell to make those 
changes. How can we do this through CGI?

2) We'd like to give our main sys admin a front end for rotating 
passwords that will speed the following process:
    i. Log on to a server as root over SSH, preferably by demanding a 
password rather than using keys.
    ii. For each shell account on the server, prompt for the new 
password twice and change it. When the shell accounts are done, we'll do 
the MySQL accounts (easy) and the htaccess passwords, which I assume is 
easy.
    iii. Log on to the next server and repeat ii., until all the servers
are done. (We currently have about 15 servers with 5-10 necessary 
accounts per; we anticipate doubling the # of machines over the next few 
months).

I assume the front end for 2) will be a shell, but don't know how to 
pass commands to a local shell that will be snarfed up by Python and 
passed to a remote shell.

Any help appreciated...