Getting SuperUser Authority From Within Running Python Program

Tim Daneliuk tundra at tundraware.com
Sun Jan 26 16:10:07 CET 2003


Laura Creighton wrote:
>>Is there a way to have a running Python program acquire super-user status
>>(assuming the program knows the correct password)?  If so, is this
>>method portable to Win32 or will Unix and Win32 need different implementation
>>s?
>>
>>TIA,
>>-- 
>>-----------------------------------------------------------------------------
>>-
>>Tim Daneliuk
>>tundra at tundraware.com
> 
> 
> You do not want to do this.  You do not want a super-user shell out
> there, ever, and without that there is no need or use for password
> things. You will totally circumvent all the security mechanisms you
> have.  The unix way to do something as root is to make a setuid
> program -- NOT a shell script-- that does whatever you want done as
> root and does that and only that.  You exec that when you want it. The
> authority comes from the person who is allowed to change the
> permission bits on a file, owned by root, to make it setuid. I have no
> idea what you do for Win32, but I know for certain that this is not
> it.
> 
> Please post what you want to do as root and why so we can figure out
> what is the best thing for you to do.  
> 
> Laura
> 

I am working on the next release of 'twander' - a user-programmable
file manager/browser (http://www.tundrware.com/Software/twander).
I want to be able to temporarily go to super-user status so the
program can act upon/manage/manipulate root-owned files.

I have another way to accomplish this - I can write a 'twander'
macro that issues the necessary 'su' stuff to instantiate
an image of itself with root permissions.  I was just wondering
if there was some reasonable (safe) mechanism for doing this within
a single instance of the program.  This is similar in spirt to
sysadmin programs under Linux which allow you to enter the root
password so they can operate on the system without you having
to to log in the whole session as root.

I am curious about one thing you said - that setuid is ok for selected
(compiled) programs but not scripts.  If the script has appropriate
limitations on who can modify it, why is setuid/setgid worse for
scripts than compiled programs?

Thanks for your time,

-- 
------------------------------------------------------------------------------
Tim Daneliuk
tundra at tundraware.com





More information about the Python-list mailing list