invoking a funcion or module as root

[Blaxton]

Hi

I have setup Django with wsgi and Apache on Linux and all is good,

but the application that I am building should be able to modify

Linux files which are only allowed by root.

so, I have created a function named myfunc in a module named mymodule.py

and has invoked the function in my application's views.py.

now , How can i invoke mymodule.py as root, or is there any way to invoke

only myfunc as root ?

I already setup sudo , and was able to create directory as root with mkdir command

but what about python methods such as open(), how can I open( ) a file as root

while funciton is being invoked as apache user ? tried adding mymodule.py and python

to a list of commands in suduers file , but still there is a problem with creating the file.

even , os.setuid() won't work, because function is being invoked as apache user.

thought about setting setuid on python executable, but setuid is not working on scripts and have to write

a program in C or C++ and make it setuid and then invoke it through Django and python

but don't want to go that way to keep every thing in Python language.

the main question is "how to invoke a python function or module as root from view"

but I am open for any better solution.

Thanks

[Jirka Vejrazka]

Hi there,

you definitely don't want to allow apache to setuid() to root as
you've pointed out. You have a few options, probably the easiest one
is to write a pair of scripts for each task you want your application
to perform with root privileges.

- the first script will only contain "sudo <second_script with the
right parameters>"
- the second script should contain the necessary step(s) that need
to be performed with root privileges. It should be simple to minimize
chances for security issues

Then you'd configure your sudoers file to allow apache process to
call the "second script" *including the right set of parameters* (if
applicable) with sudo permissions.

You'd then call your "first script" using subprocess() call from
your views.py (or whereever appropriate).

(you could technically bypass the whole "first script", but it'll
greatly improve readability if you do it this way, no one will have to
read your python code to match it to your sudoers file if problems
occur).

Even better solution would be fixing your security model, having a
web application perform high-privileged tasks on a system seems flawed
in 99% of cases I can think of, but maybe you have a good reason why
you need it that way.

HTH

Jirka

[Blaxton]

Thank you Jirka,

Changed the function to stand alone script and called it with sudo from views.py.

that worked and solved my problem.

---

From: Jirka Vejrazka <jirka.v...@gmail.com>
To: django...@googlegroups.com
Sent: Tuesday, August 14, 2012 1:03:29 PM
Subject: Re: invoking a funcion or module as root

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to django...@googlegroups.com.
To unsubscribe from this group, send email to django-users+unsub...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.