Re. suid/sudo in python

Rustom Mody rustompmody at gmail.com
Mon Mar 30 14:17:28 CEST 2009


On Mon, Mar 30, 2009 at 5:17 PM, andrew cooke <andrew at acooke.org> wrote:
> Rustom Mody wrote:
>> Ben Finney wrote
>>> The key thing to realise is that, having relinquished privilege, the
>>> same process can't get it back again as easily. So if you need to
>>> do some tasks as a privileged user, do those *very* early and then drop
>>> the privileges for the rest of the life of the process.
>>>
>>> Taking this further, you should isolate exactly what tasks need root
>>> privilege into a separate process altogether, and make
>>> that process as well-tested and simple as possible: it should do nothing
>>> *but* those tasks for which it needs root privilege.
>>
>> I dont think this would be easy or convenient (if at all possible) in my
>> case.
>>
>> I am trying to write a tiny web based application that will give an
>> overall picture of LVM, Volume groups, Raid, SCSI and the underlying
>> disk partitions. The administrative tools dealing with low level
>> storage stack (e.g. fdisk, pvcreate, vgcreate, lvcreate, mdadm etc.)
>> need to be run as root.
>
> i think you should isolate exactly what tasks need root privilege into a
> separate process altogether, and make that process as well-tested and
> simple as possible: it should do nothing *but* those tasks for which it
> needs root privilege.
Yes I guess this is the proper way.
But what I am looking for is not so much a proper way as a simple way
Roughly something in python that is like sudo in shell(??) [Dont know
if this is a good analogy]

You see security is not really at issue here.
Rather grappling with stuff that has been armored for much more
stringent security(like apache).

>
> in this case, for example, that would have absolutely nothing to do with
> interfacing to the web - it would focus only on the particular tasks you
> need to do with the administrative tools (it would also take care, for
> example, to allow only "read-like" commands to be executed, by exposing
> explicit methods for those rather than the unix commands as a whole) (are
> you sure the information you need is not available via reading /proc?)

>
> andrew
>
>



More information about the Python-list mailing list