3

I have certain scripts that are installed as console_scripts using Python's setuptools. This script is run as www-data user. But the script also needs access to SSL certs that can be read only by root user.

One of the possible solutions that I see to solving this problem is setting SUID on the generated console_script. I can do that manually using a Makefile, but I was looking for more of an out-of-the-box solution that is already provided by any packaging tool in the Python ecosystem.

Is this is possible at all? Or setting SUID using a Makefile is the best option I have?

vaidik
  • 2,191
  • 1
  • 16
  • 22

1 Answers1

1

A better option may be to write the wrapper script yourself, have the appropriate SUID and GUID bits set before packaging, and then distribute it via the scripts setting rather than the console_scripts entry points. This saves you the problem of having to rely on make at the expense of a little extra project maintenance.

Another option would be to have a post-install hook which runs os.chmod() or os.fchmod() on the installed console script, but keep in mind that this will not work with .egg binary distributions (or possibly Python 3 .wheel.) This SO answer has details on that. Note that this means that the installer would have to be run as root, regardless of where the package is actually installed to (including a local environment.)

Community
  • 1
  • 1
stiv
  • 1,083
  • 9
  • 11