wsgi as root for ssh configurations

1 view
Skip to first unread message

Edwin Rueda

unread,
Apr 30, 2021, 12:30:51 PMApr 30
to mod...@googlegroups.com
Hi Graham and everyone,

I have a problem with a current task I'm doing in AWS. I'm creating a web interface to set permissions and change the ssh welcome message. The problem is that when saving the welcome message, I have to modify the /etc/issue.net file with the following python line:

                open("/etc/issue.net").write("test text")

the problem is that the server won't let me save because I don't have superuser permissions.

the alert that appears in the apache log is as follows:
     -  sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper

note that in AWS, by default there is no superuser key

Finally, this is my .conf file:

WSGIDaemonProcess flaskproject threads=5
        WSGIScriptAlias / /var/www/html/flaskproject/app.wsgi

        <Directory flaskproject>
                WSGIProcessGroup flaskproject
                WSGIApplicationGroup %{GLOBAL}
                Order deny,allow
                Allow from all
        </Directory>

can you help me ? 

Thabks!!!!
--
Edwin J. Rueda
Maestrando en Ciencias de la Computación
Universidade Federal do Pará, Brasil
Ingeniero de Sistemas
Universidad Industrial de Santander, Colombia

Edwin Rueda

unread,
Apr 30, 2021, 12:58:18 PMApr 30
to mod...@googlegroups.com
If I use the following python command to save the file:

 -  os.system('sudo -S echo "test text" | sudo tee /etc/issue.net')  

I get the following error in the apache log:

sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper
[sudo] password for www-data:
sudo: no password was provided

Thanks!

Carl Nobile

unread,
Apr 30, 2021, 1:15:05 PMApr 30
to modwsgi
This is not something that modwsgi is responsible for.
However, you could try to use the same tricks that are done when a daemon is created to run as root.
You will have to put some thought into how you do this, it will NOT be an exact copy of my code, but the basic ideas are there.
Good luck

~Carl


--
You received this message because you are subscribed to the Google Groups "modwsgi" group.
To unsubscribe from this group and stop receiving emails from it, send an email to modwsgi+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/modwsgi/CAJ83xwrY9py2qpHBov%2B-bXAFtE1-pvsBpRK96YXvML_KmTq3sQ%40mail.gmail.com.


--
-------------------------------------------------------------------------------
Carl J. Nobile (Software Engineer)
carl....@gmail.com
-------------------------------------------------------------------------------

Edwin Rueda

unread,
Apr 30, 2021, 4:07:01 PMApr 30
to mod...@googlegroups.com
Thanks Carl,

After a bit of searching and scratching my head, I discovered that when I run the command os.system("message to save"), it asks for superuser permissions for the user "www-data". So what I did was to give permissions to that user.

I opened the file /etc/sudoers.d/90-cloud-init-users with the following command:

                                     sudo visudo -f /etc/sudoers.d/90-cloud-init-users

by default, the file contains the user "ubuntu" with its privileges. Then, I wrote the following line and saved the file, and restarted the server:

                                     www-data ALL=(ALL) NOPASSWD:ALL

thanks for your help!


GODJonez

unread,
Apr 30, 2021, 4:34:43 PMApr 30
to modwsgi
Hi. Having a web app with superuser privileges (even if indirectly) doesn't sound like the best idea. Especially if you are feeding user input to os.system running with root. That's a disaster waiting to happen.

I would suggest going a different way. Rather than elevating web app permissions, reduce the needed power to the specific file. That is, grant www-data (or even better, make a dedicated system account for the app) modify permissions for the specific file you need to write to. This way you are not inadvertently opening door to unlimited damage a bug in your code and/or malicious user using you app could do.

Joonas

Edwin Rueda

unread,
Apr 30, 2021, 6:04:58 PMApr 30
to mod...@googlegroups.com
Hi Joonas,

you are absolutely right. My problem is that I need to create a graphical administration panel for ssh and cronjob and I don't have much time, it's something for academic purposes. But if it were for production and an end-user, if there's the possibility of creating a profile with certain permissions for the www-data user.

Reply all
Reply to author
Forward
0 new messages