R
Ramdas
How do I add users using Python scripts on a Linux machine?
Someone has a script?
Someone has a script?
How do I add users using Python scripts on a Linux machine?
Someone has a script?
Ramdas said:Well,
I need to add users from a web interface for a web server, which runs
only Python. I need to add users, set quotas and in future even look at
managing ip tables to limit bandwidth.
I know os.system(), but this has to be done through a form entry
through a web interface.
Anyways thanks, do advise if there more pythonic solutions
Ivan said:What you're looking for is actually a pretty complex thing. You *could*
in theory manage /etc/passwd (and its "shadow" file) - you can find
crypto primitives like MD5 and DES on the 'net, but note that you must
run your script under the 'root' account in order to write (and even
read!) the passwd database. The same goes for using os.system and the
built-in OS utility. Be aware of security implications if you're running
your web server under the root account.
Ivan said:What you're looking for is actually a pretty complex thing. You *could*
in theory manage /etc/passwd (and its "shadow" file) - you can find
crypto primitives like MD5 and DES on the 'net, but note that you must
run your script under the 'root' account in order to write (and even
read!) the passwd database. The same goes for using os.system and the
built-in OS utility. Be aware of security implications if you're running
your web server under the root account.
Ravi Teja said:How about invoking scripts with SUID root set?
Linux seems to ignore SUID bit on scripts:
Carsten Haese said:I don't think that that has anything to do with Linux or not. The
script is not the actual executable, hence its suid bit is irrelevant.
You'd have to set the suid bit on the python executable, but that
would affect all python scripts, which is probably bad.
Linux seems to ignore SUID bit on scripts:
Anyway, you should definitely think about security issues. Not all
people out there are friendly...
Sebastian 'lunar' Wiesner said:SW> Linux seems to ignore SUID bit on scripts:
Ramdas said:I need to add users from a web interface for a web server, which runs
only Python. I need to add users, set quotas and in future even look at
managing ip tables to limit bandwidth.
I know os.system(), but this has to be done through a form entry
through a web interface.
Anyways thanks, do advise if there more pythonic solutions
Piet van Oostrum said:The reason is that obeying SUID bits on scripts would be a security
risk.
Sebastian said:Carsten Haese <[email protected]> typed
I don't think so. From what I know, the script is passed as executable
to the kernel loader, which interprets the shebang and feeds the script
through the correct interpreter. So the kernel loader sees the script
itself as executable instead of the interpreter binary. I've heard of
other Unix systems, which handle this differently (meaning that the
SUID bit on scripts has an effect), but I may be wrong.
[ Ivan Voras said:Sebastian said:Carsten Haese <[email protected]> typed
I don't think so. From what I know, the script is passed as
executable to the kernel loader, which interprets the shebang and
feeds the script through the correct interpreter. So the kernel
loader sees the script itself as executable instead of the
interpreter binary. I've heard of other Unix systems, which handle
this differently (meaning that the SUID bit on scripts has an
effect), but I may be wrong.
Yes, the kernel parses #! but the suid-ness is still controlled by the
target interpreter (i.e. python executable). At least BSD systems also
behave this way.
Sebastian 'lunar' Wiesner said:SW> I don't see a problem with SUID on scripts. If you restrict write access
SW> to the owner, modification is hardly possible.
SW> However, if you allow world-wide write access to your binaries and
SW> scripts, both can easily be modified...
The scenario is as follows: Suppose the script starts with the line:
#!/usr/bin/python
(using #!/usr/bin/env python would be disastrous because the user could
supply his own `python interpreter' in his PATH.)
Now a malicious user can make a link to this file in his own directory,
e.g. to /Users/eve/myscript1. Because permissions are part of the file
(inode), not of the file name, this one is also suid.
Now she execs /Users/eve/myscript1. The kernel, when honoring suid
scripts, would startup python with effective uid root with the command
line: /usr/bin/env /Users/eve/myscript1
Lawrence D'Oliveiro said:LD> No it wouldn't. This security hole was fixed years ago.
Want to reply to this thread or ask your own question?
You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.