{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 家丑人穷心不美 的问题《Change to sudo user within a python script》','https://www.manongdao.com/q-76313.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I have a problem. I am writing a piece of software, which is required to perform an operation which requires the user to be in sudo mode. running 'sudo python filename.py' isn't an option, which leads me to my question. Is there a way of changing to sudo half way through a python script, security isn't an issue as the user will know the sudo password the program should run in the following way to illustrate the issue
- program running as normal user
- ...... performing operations
- user enters sudo password
- user changed to sudo
- sub program requiring sudo permission is run
- on trigger even (end of sub program) user becomes normal user again
- ...... performing operations
My problem lies in step 3, any pointers or frameworks you could suggest would be of great help.
Cheers
Chris
Use Tcl and Expect, plus subprocess to elevate yourself. So basically it's like this:
sudo.tcl
sudo.py
And then run sudo.py.
It is better to run as little of the program as possible with elevated privileges. You can run the small part that needs more privilege via the
subprocess.call()function, e.g.If you are able to encapsulate just the necessary functionality requiring elevated privileges in a separate executable, you could use the setuid bit on the executable program, and call it from your user-level python script.
In this way, only the activity in the setuid-executable run as root, however executing this does NOT require sudo, i.e., root privileges. Only creating/modifying the setuid-executable requires sudo.
There are a few security implications, such as ensuring that your setuid executable program properly sanitizes any user input (e.g., parameters), so that it cannot be tricked into doing something it should not (confused deputy problem).
ref: http://en.wikipedia.org/wiki/Setuid#setuid_on_executables
edit: setuid only seems to work for compiled executables (binaries), and not interpreted scripts, so you may need to use a compiled setuid wrapper.
You can use setuid to set the users uid. But for obvious security reasons you can only do this if you are root (or the program has suid root rights). Both of these are probably a bad idea.
In this case you need to sudo rights to run a specific program. In that case just sub to "sudo theprogram" instead.
Are you talking about having the user input password half way through your execution? raw_input() can take a user input from console, but it will not mask the password.