为处理来自 html（网页）的输入而开发的 Python 脚本未执行 shell 命令

Question

Please help me people! I have setup a xcat server so that I can manage my many nodes therefrom. I want to stop running python scripts directly from within my xcat server. I figured it would be better for simplicity to create a webpage as my interface and use python as the server-side script from the xcat server I am finding that my underlying python script is not really doing everything I want it to do. For example, my script is unable to power up or down my nodes defined on the xcat server. To illustrate better, my node (hs22n12 ) is defined on my xcat server (xcatmn5). I am able to use “nodels | grep hs22n12” to locate that node on xcatmn5 and operate it which ever way I see fit such as power up (“rpower hs22n12 on”) or power down (“rpower hs22n12 off”). However, when I build this commands into my python scripts such that they are operated when I provide input from html, The operation is not successful. Some specs are indicated here: I am using apache and I have confirmed that this is running My python scripts are in my var/www/cgi-bin and I am able to run them My htnl files are located in /var/www/html Please find below my code snippets First html code (which is currently okay for me and is working well)

****<!DOCTYPE html>
    <html>
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    </head>
    <body>
    <div id="title">
    <title> Node Provisioning Application </title>
    </div>
    <form action='cgi-bin/powerOff11.py' method="post">
     Enter Node:  <input type="text"  name ="Node"/>
     <input type="submit" value="submit">
    </form>
    </body>
    </html>**

I will add my python code shortly Here's my python code

#!/usr/bin/python
import cgi
import cgitb
import subprocess
import os
import sys
cgitb.enable()

print "Content-type: text/html\n"

form = cgi.FieldStorage()

Node = form.getvalue('Node')
print"<p>%s</p>"% Node

if Node == None:
    print"<p>No node provided</p>"
else:
    find_node = subprocess.call('nodels | grep ' + Node, shell=True)
    if find_node == 0:
        print("<p>Node not defined yet!</p>")
    else:
        if find_node > 0:
            print"<p>%s</p>"% Node
            p_off = subprocess.call('rpower ' + Node + ' on',shell=True)
            print"<p>%s powering on...</p>"% Node 
        else:
            sys.exit()
        

update: After some diggging around, I was able to enable the HTTPS protocol for REST API and also enabled the certificate of HTTPs by following the instruction here: https://xcat-docs.readthedocs.io/en/stable/advanced/restapi/restapi_setup/restapi_setup.html

After i did this, I was actually able to access different resources, such as the repository of my xcat server via https. However, original problem has become clearer. The new response I am getting from http whenever I try to run a command that needs root priviledge is:

"Error: Permission denied for request warning: the client certificates under /usr/share/httpd/.xcat/ are not setup correctly, please run '/opt/xcat/share/xcat/scripts/setup-local-client.sh ' as 'root' to generate the client certificates; otherwise, the SSL connection between xcat client and xcatd will be setup without certificate verification and open to Man-In-The-Middle attacks."

This leads me to believe that my problem is how to configure /etc/httpd/conf/httpd.conf to be able to request root access and also make requests from there. Mind you I am able to get response to all binary commdans such as (ls, cd etc) that are in the /usr/bin directory (these commands do not require root priviledge to be made. Can someone point me to how to configure httpd.conf such that my request can be legitimately made from /root to xcat? Thank you all for your helps.

Answer 1

This is xCAT2, I assume?
If so, did you give correct permission to the apache process to execute xCAT commands?

xCAT policy table serves as ACL (access control list) for xCAT.

You can do something like:

mkdef -t policy -o 7.0 name=apache rule=allow

7.0 is just an example - use any other number as long as it doesn't conflict with any preexisting rule - tabdump policy can be convenient as there shouldn't be too many lines in the policy table.

for name use the apache process owner.

By default unless limited with commands= flag, all commands are allowed by this new policy rule.

Answer 2

Thank you again for taking the time to respond to my issue. I have tried it out. It appears that this is not the problem, however you have nudged me in the right direction of thinking beyond the actual code to the entire web service configuration of httpd and how it makes requests from xcatd. I was able to do some adjustment and noticed that I am able to get response from xcatd to all binary commands in /usr/bin/python (eg ls) but I am unable to get response to such commands that needs root access like lsdef. This leads me to believe that the problem I am having is that I am not given permission to request root priviledge (run root commands) from http client. I need someone who has done web service configuration to look ino this. I believe the problem is most likely in httpd.conf (Still reading up on it) But tanks again.