[Tutor] making proigress [using sudo with Python scripts]
Danny Yoo
dyoo@hkn.eecs.berkeley.edu
Wed Dec 18 19:15:14 2002
On Wed, 18 Dec 2002, Kirk Bailey wrote:
> But here's a brainbuster: how do we get a nobody owned and run script to
> issue and execute the 'newaliases' command?
Hi Kirk,
This isn't really too Python related, (but then, we've been way off
tangent recently... *grin*).
In Unix, a program takes on the privileges of the user who executes the
program. If we're not taking Unix's setuid/setgid mechanisms into
account, then it really doesn't matter who "owns" the program, but it's
more important who "runs" it.
You should probably be using 'sudo' or something like it to solve these
permission problems. The utility 'sudo' grants temporary root privilege to
normal users:
http://www.courtesan.com/sudo/
There's a nice BSD-oriented tutorial of sudo on O'Reilly's ONLamp.com:
http://www.onlamp.com/pub/a/bsd/2002/08/29/Big_Scary_Daemons.html
By using sudo, you can write Python scripts that do serious system
administrative tasks like automating the regeneration of the aliases file
in sendmail.
I'd discourage a 'setuid' approach to Unix permissions without
understanding its dangers: there seems to be a constant stream of 'setuid'
security holes that pop up every so often on the security newsgroups, so
getting 'setuid' right is not an easy thing to do. In some cases, there's
no alternative to a setuid wrapper --- Mailman, for example, uses one ---
but most any setuid program should be held with suspicion.
Good luck to you!