Re. suid/sudo in python

[Rustom Mody]

Ben Finney wrote

The key thing to realise is that, having relinquished privilege, the same process can't get it back again as easily. So if you need to
do some tasks as a privileged user, do those *very* early and then drop the privileges for the rest of the life of the process.

Taking this further, you should isolate exactly what tasks need root privilege into a separate process altogether, and make
that process as well-tested and simple as possible: it should do nothing *but* those tasks for which it needs root privilege.

I dont think this would be easy or convenient (if at all possible) in my case.

I am trying to write a tiny web based application that will give an
overall picture of LVM, Volume groups, Raid, SCSI and the underlying
disk partitions. The administrative tools dealing with low level
storage stack (e.g. fdisk, pvcreate, vgcreate, lvcreate, mdadm etc.)
need to be run as root.

However since this runs behind apache. Apache creates a separate user
for the webserver. Hence the CGI scripts or any other tools that they
call run as that user.

The solution currently is
- Write the CGI program in C, put setuid(0), setgid(0) statements in
that file and then perform any other actions (including calling other
scripts)
- Set the S bit of the executable of the CGI binary compiled from the
C file (chmod +S xxx.cgi)

Yeah yeah "Security! HOLE!!" etc but please note that this is running
on linux on vmware on an otherwise secure system.

So whats the best way of doing this in python?

 

[bieffe62]

Ben Finney wrote



I dont think this would be easy or convenient (if at all possible) in my case.

I am trying to write a tiny web based application that will give an
overall picture of LVM, Volume groups, Raid, SCSI and the underlying
disk partitions. The administrative tools dealing with low level
storage stack (e.g. fdisk, pvcreate, vgcreate, lvcreate, mdadm etc.)
need to be run as root.

However since this runs behind apache. Apache creates a separate user
for the webserver. Hence the CGI scripts or any other tools that they
call run as that user.

The solution currently is
- Write the CGI program in C, put setuid(0), setgid(0) statements in
that file and then perform any other actions (including calling other
scripts)
- Set the S bit of the executable of the CGI binary compiled from the
C file (chmod +S xxx.cgi)

Yeah yeah "Security! HOLE!!" etc but please note that this is running
on linux on vmware on an otherwise secure system.

So whats the best way of doing this in python?

Have a 'server process' running with root privilege ( a script started
by a privileged account) and implement a protocol to ask for system
info from your cgi scripts under apache. In python this is a lot
easier than it sounds.
The simplest case would be that to send a 'system command' to the
server through a unix socket, the server
executes the command as received and returns the command output. Not
more than a day work, I believe. Not much more secure that
a setuid python script, also, maybe less
A better implementation would be such that the protocol only allows
for a set of pre-defined safe requests ...

Ciao

 

[rustom]

Have a 'server process' running with root privilege ( a script started
by a privileged account)  and implement a protocol to ask for system
info from your cgi scripts under apache. In python this is a lot
easier than it sounds.
The simplest case would be that to send a 'system command' to the
server through a unix socket, the server
executes the command as received and returns the command output. Not
more than a day work, I believe. Not much more secure that
a setuid python script, also, maybe less

Well the current C root owned setuid-ing and calling out to shell is
simple enough I guess.
The shell could be replaced by python of course.

 

[rustom]

Rustom Mody wrote:

The essence of your program is that you only want information, that is
great! Since that makes it all a bit simpler.

How about writing a cronjob that outputs the require information into a
file and then write a separate program that reads the output and
displays it on the web site when requested?

I dont 'only want information.' I want to do everything that root can
do through a web interface

I don't think this is necessary a python problem but a generic, SUID
scripts considered dangerous, problem.

Yeah I know and I'm prepared for the consequences -- think of it as
running with the hardware ethernet interfaces down-ed.
Seems to contradict the web thing above so let me explain:

Machine runs vista -> Vista runs VMware -> VMware hosts ubuntu
Ubuntu behaves like a disk rack.
Through the web client running on Vista, I want to view and *Control*
the ubuntu disk rack (somewhat like manipulating the cups printer via
localhost://631)

The context is that we want to teach a course on LVM, RAID, SCSI
actual disks etc and during that we would like a nice summarised
picture in front of the class rather than arcane playing-around-ing
with fdisk, pvcreate, vgcreate, lvcreate, mdadm etc command lines.

I think I know what I am going to try (Got it from an old python list
posting here
http://mail.python.org/pipermail/python-list/2000-July/044690.html
which explains how perl does it)
Copy /usr/bin/python to ~/bin/python-su
make it suid
run the scripts under python-su

Any major holes (apart from the security ones ) in my plan??