在 sudo 中运行 python 文件，但在用户空间中运行配置文件

Question

I wrote a python script that accesses system features which require root privileges. This "master" script is configured by running another Python script file, "config.py", using exec , that the user of my script would write and which configures some state variables in my script.

The master script file is root-owned while the config file is user owned (since my script users would want to modify this file).

Obviously this is not ideal, since the users of my script could run root-level commands in the config script. Is there a way to run the config file in user-level even if the master file was run in root?

Answer 1

What you could do is create a special user to execute the commands that the script users give you. Make sure that this user is locked down to your security requirements dictate.

Say that you want this username to be scriptkiddie (for the laughs), then you could create that user in the following way.

$ useradd scriptkiddie

Then, wrap any system command (here I'll use nmap -Pn -p22 10.0.0.0/8 , a command that requires root ) that your script will execute on behalf of a script user in the runuser command.

runuser will run whatever you give it in the context of whatever user you specify.

$ runuser -l  scriptkiddie -c 'nmap -Pn -p22 10.0.0.0/8'

In Python you could use format(...) to inject whatever command is given to you.

"runuser -l  scriptkiddie -c {}".format(user_cmd)

This method will prevent any user being able to run a command in the context of root , since all commands will be run under the context of the new user scriptkiddie .

Answer 2

Since it's a config file, you might be better off making it something non-executable like a plain ini / yaml etc. I'm assuming you want to include it to access some constants. Sometimes it requires a little more work to set up, but ultimately, if the only code that runs is yours, you can be safe(er).