wsgi as root for ssh configurations
6 views
Skip to first unread message
Edwin Rueda
Apr 30, 2021, 12:30:51 PM4/30/21
to mod...@googlegroups.com
Hi Graham and everyone,
I have a problem with a current task I'm doing in AWS. I'm creating a web interface to set permissions and change the ssh welcome message. The problem is that when saving the welcome message, I have to modify the /etc/issue.net file with the following python line:
open("/etc/issue.net").write("test text")
the problem is that the server won't let me save because I don't have superuser permissions.
the alert that appears in the apache log is as follows:
- sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper
note that in AWS, by default there is no superuser key
Finally, this is my .conf file:
WSGIDaemonProcess flaskproject threads=5
WSGIScriptAlias / /var/www/html/flaskproject/app.wsgi
<Directory flaskproject>
WSGIProcessGroup flaskproject
WSGIApplicationGroup %{GLOBAL}
Order deny,allow
Allow from all
</Directory>
WSGIScriptAlias / /var/www/html/flaskproject/app.wsgi
<Directory flaskproject>
WSGIProcessGroup flaskproject
WSGIApplicationGroup %{GLOBAL}
Order deny,allow
Allow from all
</Directory>
can you help me ?
Thabks!!!!
--
Edwin J. Rueda
Maestrando en Ciencias de la Computación
Universidade Federal do Pará, Brasil
Ingeniero de Sistemas
Universidad Industrial de Santander, Colombia
Edwin Rueda
Apr 30, 2021, 12:58:18 PM4/30/21
to mod...@googlegroups.com
If I use the following python command to save the file:
- os.system('sudo -S echo "test text" | sudo tee /etc/issue.net')
I get the following error in the apache log:
sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper
[sudo] password for www-data:
sudo: no password was provided
sudo: no password was provided
Thanks!
Carl Nobile
Apr 30, 2021, 1:15:05 PM4/30/21
to modwsgi
This is not something that modwsgi is responsible for.
However, you could try to use the same tricks that are done when a daemon is created to run as root.
I made some major updates to this code https://github.com/cnobile2012/python-daemon/blob/master/daemonize/daemon.py
You will have to put some thought into how you do this, it will NOT be an exact copy of my code, but the basic ideas are there.
Good luck
~Carl
--
You received this message because you are subscribed to the Google Groups "modwsgi" group.
To unsubscribe from this group and stop receiving emails from it, send an email to modwsgi+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/modwsgi/CAJ83xwrY9py2qpHBov%2B-bXAFtE1-pvsBpRK96YXvML_KmTq3sQ%40mail.gmail.com.
-------------------------------------------------------------------------------
Carl J. Nobile (Software Engineer)
carl....@gmail.com
-------------------------------------------------------------------------------
Carl J. Nobile (Software Engineer)
carl....@gmail.com
-------------------------------------------------------------------------------
Edwin Rueda
Apr 30, 2021, 4:07:01 PM4/30/21
to mod...@googlegroups.com
Thanks Carl,
After a bit of searching and scratching my head, I discovered that when I run the command os.system("message to save"), it asks for superuser permissions for the user "www-data". So what I did was to give permissions to that user.
I opened the file /etc/sudoers.d/90-cloud-init-users with the following command:
sudo visudo -f /etc/sudoers.d/90-cloud-init-users
by default, the file contains the user "ubuntu" with its privileges. Then, I wrote the following line and saved the file, and restarted the server:
www-data ALL=(ALL) NOPASSWD:ALL
thanks for your help!
To view this discussion on the web visit https://groups.google.com/d/msgid/modwsgi/CAGQqDQJipNBUrno%2BcvX95kuFB8dOZweh1r6iYRwOON5YoSO0Cw%40mail.gmail.com.
GODJonez
Apr 30, 2021, 4:34:43 PM4/30/21
to modwsgi
Hi. Having a web app with superuser privileges (even if indirectly) doesn't sound like the best idea. Especially if you are feeding user input to os.system running with root. That's a disaster waiting to happen.
I would suggest going a different way. Rather than elevating web app permissions, reduce the needed power to the specific file. That is, grant www-data (or even better, make a dedicated system account for the app) modify permissions for the specific file you need to write to. This way you are not inadvertently opening door to unlimited damage a bug in your code and/or malicious user using you app could do.
Joonas
To view this discussion on the web visit https://groups.google.com/d/msgid/modwsgi/CAJ83xwoGMOF5Pk7E2xCJRzfi-K-ng35ezGxudZvQjGAOfMkoOw%40mail.gmail.com.
Edwin Rueda
Apr 30, 2021, 6:04:58 PM4/30/21
to mod...@googlegroups.com
Hi Joonas,
you are absolutely right. My problem is that I need to create a graphical administration panel for ssh and cronjob and I don't have much time, it's something for academic purposes. But if it were for production and an end-user, if there's the possibility of creating a profile with certain permissions for the www-data user.
To view this discussion on the web visit https://groups.google.com/d/msgid/modwsgi/CAPnmswhZDBSCWhfK7Xq0woTgcjmFfDwU8pQ0wV46LrdPZ-BaBg%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages