I've written a python script that will be executed by my websever (apache on a linux box). The script simply creates a directory in which email can be written to.

When the script creates the directory, it winds up with a UID/GID that is the same as the webserver's - in this case www-data. I need to get that changed to another user called vmail (uid/gid == 1002).

So in my python script, I added the line:

os.chown('directory', 1002, 1002)

But when I run the script I get:

OSError: [Errno 1] Operation not permitted: '/directory'

So I changed the ownership of the python script to be root.root and set it to setuid/setgid and tried running it again. But still the same error.

More reading and I found that Linux setuid doesn't work for scripts? Only compiled programs?

So I compiled my python script to be a .pyc file and did setuid on that. Still same error.

How can I get a higher level of priviledges so my python script can do the chown that it needs to do?

Thanks
Kosuek

Scripts may not be setuid (except perl through a special interface...). You basically have two options:

a setuid c wrapper for the python script

sudo. I reccomend this. Most distributions have it easily available.

if you setgid on the parent directory that should at least get you the right group.
perhaps you can give group permission to rw and avoid having to chown

.pyc files are not binaries - they are run by the python interpreter, as they are bytecode files. In order to make this work via setuid, you would have to make either the python interpreter (BAD!) or the chown command (still quite bad) setuid root. If you use either of these options, you practically gift-wrap root access for all users. Unless you're fully aware of the risks and can guarantee they're not an issue on this system, I wouldn't do it (in other words, don't do this unless this webserver is only accessible by you on a private network, and even then think carefully fourteen times before you do).

From the chown (2) man page:
Based on this, I would consider finding a solution that works only by changing the group. Do you need to create this directory more than once? Perhaps set up the directory correctly once, and change the script so that it doesn't try to create it. Or perhaps set up a root cron job that does a relevant chown -R every few minutes if the owner setting is really important. Perhaps if you describe what you're trying to do and why the ownership is so important, someone will come up with a better alternative.

I run a small webserver for a handful of sites. Everything is on one Linux box with 1 IP and each site has a virtual host configured under Apache 1.3. Each site (domain) also has full email service via a Postfix where all the entries for users/aliases are handled in MySQL. I've written some password protected admin web pages so owners of each domain can manage their email settings. One such admin page would allow the manager to add new email users. Adding a user to the MySQL DB is trivial, but to complete the new user set up, a filesystem entry needs to be made for the new user.

The uid/gid of the virtual mail system runs under a name of 'vmail'. Apache runs under 'www-data' and Postfix runs under 'postfix'. I've written the Python script to make the necessary filesystem entries in /home/vmail for the new user. But after testing found that it gets written as uid/gid 'www-data'. I need to change that to a uid/gid of 'vmail'.

So that's specifically what I'm attempting. An admin for any one of the websites (domains) on my server needs to be able to add new user email accounts. Part of this process on my setup is the creation of the filesystem entry for the new user. I wrote the Python script to do that, but need to get a handle on the directory/file ownership.

The suggestions from above make sense and are appreciated. Of them, I would presume the most secure is to have a cronjob for root run every 5 minutes or so. How much overhead to the system is this? Trivial?

My 2nd approach would probably be to rewrite my Python script in C and give it setuid.

The idea of using sudo sounds good, but in my case, I think I'd have to give sudo priviledges to the user 'www-data' to run /bin/chown, which on the surface doesn't sound like a good idea. Although in sudoers I guess I could limit the priviledges by specifying the a very narrow Cmnd_Alias like
'/bin/chown/ -R vmail.vmail /home/vmail/domain'

Thanks again for the suggestions and any additional thoughts.

Kosuke

The pressure on the system would be pretty minimal with a cron job, but it seems wasteful to run every five minutes if user additions aren't going to be frequent.

Instead of rewriting your python script, you could have a look here: http://www.python.org/doc/faq/progra...-python-script

Another option would be to only write the barest C program necessary (just enough code to make sure the directory is the user-mail one and then change the ownership) and add a system call in the existing python script.