How do you allow a Python script access to mkdir in a protected directory without su access in Linux?
Question
I'm trying to create a python shell script to create a number of directories in Ubuntu Linux. The main directory I'm trying to create directories in is protected from write access. Is there a way to allow the Python script to be allowed to create directories in there as if it's the root user but not have to run the script through su, since other users might need to run the script but should not have su access?
5 answers
solution1
5 ACCPTED 2011-08-23 19:52:37
This question is not really related to Python. The Python script is just a process like any other process and needs to have to right permissions to do things. The usual method is to create a group, and make the parent directory g+ws for that group. Then add the appropriate users to that group as a supplemental group.
solution2
2 2011-08-23 19:56:07
Unfortunately no. A process's permissions in a *nix environment are always less than or equal to the permissions of the person who fires it. This actually makes sense though -- it is a huge security risk to allow processes exceed the user's own abilities.
This will require someone who has access to that directory -- either through one of their groups or through sudo . Either way, it will require human interaction on every machine that the script is run on.
As far as what is easiest, well, you'll need someone who has that authority to grant it to another user, or simply use sudo directly.
solution3
0 2011-08-23 19:37:33
You could add a user just for this task, then give the said user permissions for the directory you want the subdirectories created in and execute the script as the said user.
There might be easier solutions but that's what comes to my mind at first glance.
solution4
0 2011-08-23 20:01:35
You could create a separate command that creates the directory and make it setuid root (or, more safely, setuid or setgid to the owner of the parent directory). Make sure the command can't do anything other than what you want to allow it to do (eg, don't let it pass its argument to system() ). Then invoke that command from your Python script.
Of course this will also enable any other process with execute permission on the new command to create subdirectories.
solution5
0 2011-08-23 20:07:24
You can mark your Python script setuid, which makes it run as root regardless of which user runs it. Be aware that this can be a major security risk, though, because if the user figures out a way to make your script do something it wasn't intended to do then they can potentially cause mischief with root privileges. If you do make your script setuid, make sure it's very simple and only does one thing, with plenty of error checking to prevent unexpected inputs. (Look up setuid for more info on doing this; you need to use chmod to mark the executable's setuid bit.)
What's often a better solution is to give a group permissions on the directory where you want to create new directories, and then add that group for users that will run the script.
You can also compromise between these two solutions by making your script setuid, but at the beginning of the script make it use its root privileges to assume the identity of another user. Then, create the directories using the privileges of that other user, to whom you've given the appropriate permissions. This way you're still performing the operation in such a way that users don't have permission to do it directly (so they must use the script), but you're minimizing the risk that they might be able to exploit your script to do assorted other things that you hadn't anticipated.
I found what looks to be a decent article about writing setuid programs here:
http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.124.384
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.