Re. suid/sudo in python

Rustom Mody rustompmody at gmail.com
Mon Mar 30 13:16:02 CEST 2009


Ben Finney wrote
> The key thing to realise is that, having relinquished privilege, the same process can't get it back again as easily. So if you need to
> do some tasks as a privileged user, do those *very* early and then drop the privileges for the rest of the life of the process.
>
> Taking this further, you should isolate exactly what tasks need root privilege into a separate process altogether, and make
> that process as well-tested and simple as possible: it should do nothing *but* those tasks for which it needs root privilege.

I dont think this would be easy or convenient (if at all possible) in my case.

I am trying to write a tiny web based application that will give an
overall picture of LVM, Volume groups, Raid, SCSI and the underlying
disk partitions. The administrative tools dealing with low level
storage stack (e.g. fdisk, pvcreate, vgcreate, lvcreate, mdadm etc.)
need to be run as root.

However since this runs behind apache. Apache creates a separate user
for the webserver. Hence the CGI scripts or any other tools that they
call run as that user.

The solution currently is
- Write the CGI program in C, put setuid(0), setgid(0) statements in
that file and then perform any other actions (including calling other
scripts)
- Set the S bit of the executable of the CGI binary compiled from the
C file (chmod +S xxx.cgi)

Yeah yeah "Security! HOLE!!" etc but please note that this is running
on linux on vmware on an otherwise secure system.

So whats the best way of doing this in python?



More information about the Python-list mailing list