Privilege separation best practices
I have a light meter which has Python3 libraries which seem to require root access. I don't want the whole script to run as root, just the part which reads the light intensity. I wonder what are the established best practices for dealing with that.
Running a script on-demand just to read the meter is very sluggish and introduces a variable but massive amount of lantency into the workflow. So I am guessing something needs to be left running. How should other scripts and progrmas then poll the script which monitors the meter? Sockets? FIFO pipe? Others? |
Use Apache as an example. One process listening on ports 80 and 443, which must run with root privileges. HTTP requests that it receives are sent to the worker processes, which also run all the time in the background, but under the apache identity.
How the root process communicates with the apache processes is probably not a security question (I don't know, off-hand, how Apache does it). I'd implement whatever communication method is most convenient for your use case and for whatever Python has to offer. A socket-based solution may have the advantage that you could easily port the program to client and server running on several computers. |
Are there any more recent concise theoretical overviews than Dr Provos' Privilege Separated OpenSSH from 2003? The information there is still valid but I would like to see additional thoughts on the task.
|
I have no idea what is this, but probably giving permission to the user to the given device will solve this issue. Would be nice to know why does it need root access.
From the other hand you may try to construct a daemon process which will read that device (as root) and you can use a socket (or an api) to communicate with that daemon. |
Quote:
The specific python3 error is: "PermissionError: [Errno 13] Permission denied: '/usr/local/lib/python3.7/dist-packages/board.py'" However, I cannot guess as to what that is about. Code:
$ dpkg -S $(readlink -f /usr/local/lib/python3.7/dist-packages/board.py) |
board.py most probably installed by pip, not dpkg. You can check if the file exists and looks like this: https://github.com/tjguk/dojo-board/...aster/board.py
see also here: https://pypi.org/project/board/ Also you need to check the permission of this file (if the current user can read it). |
All times are GMT -5. The time now is 07:15 AM. |