Running Python Scripts With 'sudo'

Steve Holden steve at holdenweb.com
Wed Mar 2 16:12:56 CET 2005


Tim Daneliuk wrote:
> Given that setuid is a Bad Thing for scripts, what is the general consensus
> here on running a Python script via 'sudo' to give it root system access?
> Is this reasonably secure, or am I still asking for trouble?
> 
> TIA,

The value of "sudo" is that everyone must authenticate as themselves, 
and sudo logs all activity. Therefore the system administrators can 
partition responsibility and know from the logs exactly who did what.

The risks involved with setuid scripts involve the exploitation of race 
conditions within the kernel, IIRC, and since the root permissions are 
established by sudo for the invoking process, I believe sudo would 
eliminate the risks involved (because the setuid bit would no longer be 
used on the script).

regards
  Steve
-- 
Meet the Python developers and your c.l.py favorites March 23-25
Come to PyCon DC 2005                      http://www.pycon.org/
Steve Holden                           http://www.holdenweb.com/



More information about the Python-list mailing list