LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > Programming
User Name
Password
Programming This forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.

Notices



Reply
 
Search this Thread
Old 11-05-2004, 11:24 PM   #1
kosuke
LQ Newbie
 
Registered: Nov 2004
Posts: 3

Rep: Reputation: 0
python script needs root chown ability


I've written a python script that will be executed by my websever (apache on a linux box). The script simply creates a directory in which email can be written to.

When the script creates the directory, it winds up with a UID/GID that is the same as the webserver's - in this case www-data. I need to get that changed to another user called vmail (uid/gid == 1002).

So in my python script, I added the line:

os.chown('directory', 1002, 1002)

But when I run the script I get:

OSError: [Errno 1] Operation not permitted: '/directory'

So I changed the ownership of the python script to be root.root and set it to setuid/setgid and tried running it again. But still the same error.

More reading and I found that Linux setuid doesn't work for scripts? Only compiled programs?

So I compiled my python script to be a .pyc file and did setuid on that. Still same error.

How can I get a higher level of priviledges so my python script can do the chown that it needs to do?

Thanks
Kosuek
 
Old 11-06-2004, 01:16 AM   #2
Matir
Moderator
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 118Reputation: 118
Scripts may not be setuid (except perl through a special interface...). You basically have two options:

a setuid c wrapper for the python script

sudo. I reccomend this. Most distributions have it easily available.
 
Old 11-06-2004, 01:24 AM   #3
foo_bar_foo
Senior Member
 
Registered: Jun 2004
Posts: 2,553

Rep: Reputation: 51
if you setgid on the parent directory that should at least get you the right group.
perhaps you can give group permission to rw and avoid having to chown
 
Old 11-06-2004, 01:43 AM   #4
CroMagnon
Member
 
Registered: Sep 2004
Location: New Zealand
Distribution: Debian
Posts: 900

Rep: Reputation: 33
.pyc files are not binaries - they are run by the python interpreter, as they are bytecode files. In order to make this work via setuid, you would have to make either the python interpreter (BAD!) or the chown command (still quite bad) setuid root. If you use either of these options, you practically gift-wrap root access for all users. Unless you're fully aware of the risks and can guarantee they're not an issue on this system, I wouldn't do it (in other words, don't do this unless this webserver is only accessible by you on a private network, and even then think carefully fourteen times before you do).

From the chown (2) man page:
Quote:
The owner of the file specified by path or by fd is changed. Only the super-user may change the owner of a file. The owner of a file may change the group of the file to any group of which that owner is a member. The super-user may change the group arbitrarily.
Based on this, I would consider finding a solution that works only by changing the group. Do you need to create this directory more than once? Perhaps set up the directory correctly once, and change the script so that it doesn't try to create it. Or perhaps set up a root cron job that does a relevant chown -R every few minutes if the owner setting is really important. Perhaps if you describe what you're trying to do and why the ownership is so important, someone will come up with a better alternative.
 
Old 11-06-2004, 07:16 AM   #5
kosuke
LQ Newbie
 
Registered: Nov 2004
Posts: 3

Original Poster
Rep: Reputation: 0
Quote:
Or perhaps set up a root cron job that does a relevant chown -R every few minutes if the owner setting is really important. Perhaps if you describe what you're trying to do and why the ownership is so important, someone will come up with a better alternative.
I run a small webserver for a handful of sites. Everything is on one Linux box with 1 IP and each site has a virtual host configured under Apache 1.3. Each site (domain) also has full email service via a Postfix where all the entries for users/aliases are handled in MySQL. I've written some password protected admin web pages so owners of each domain can manage their email settings. One such admin page would allow the manager to add new email users. Adding a user to the MySQL DB is trivial, but to complete the new user set up, a filesystem entry needs to be made for the new user.

The uid/gid of the virtual mail system runs under a name of 'vmail'. Apache runs under 'www-data' and Postfix runs under 'postfix'. I've written the Python script to make the necessary filesystem entries in /home/vmail for the new user. But after testing found that it gets written as uid/gid 'www-data'. I need to change that to a uid/gid of 'vmail'.

So that's specifically what I'm attempting. An admin for any one of the websites (domains) on my server needs to be able to add new user email accounts. Part of this process on my setup is the creation of the filesystem entry for the new user. I wrote the Python script to do that, but need to get a handle on the directory/file ownership.

The suggestions from above make sense and are appreciated. Of them, I would presume the most secure is to have a cronjob for root run every 5 minutes or so. How much overhead to the system is this? Trivial?

My 2nd approach would probably be to rewrite my Python script in C and give it setuid.

The idea of using sudo sounds good, but in my case, I think I'd have to give sudo priviledges to the user 'www-data' to run /bin/chown, which on the surface doesn't sound like a good idea. Although in sudoers I guess I could limit the priviledges by specifying the a very narrow Cmnd_Alias like
'/bin/chown/ -R vmail.vmail /home/vmail/domain'

Thanks again for the suggestions and any additional thoughts.

Kosuke
 
Old 11-07-2004, 05:14 PM   #6
CroMagnon
Member
 
Registered: Sep 2004
Location: New Zealand
Distribution: Debian
Posts: 900

Rep: Reputation: 33
The pressure on the system would be pretty minimal with a cron job, but it seems wasteful to run every five minutes if user additions aren't going to be frequent.

Instead of rewriting your python script, you could have a look here: http://www.python.org/doc/faq/progra...-python-script

Another option would be to only write the barest C program necessary (just enough code to make sure the directory is the user-mail one and then change the ownership) and add a system call in the existing python script.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
proftpd chown as root failed john8675309 Linux - Software 2 12-06-2005 05:53 PM
Oops! I did a chown -R root from the '/' level Wujen Linux - Newbie 4 04-06-2005 06:20 PM
CHOWN as root fails; owner 4294967295? eventide Linux - Hardware 1 11-24-2003 01:42 AM
chmod vs chown on some root files and yes apps ergo_sum Linux - Newbie 3 11-12-2003 11:49 AM
[RedHat 9] Permissions error (non-root writing ability) cTbone Linux - General 4 05-24-2003 06:57 PM


All times are GMT -5. The time now is 02:20 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration