0

I have a Python script that automatically has to trigger a shell script. Everything works fine but there is one problem. When I execute the script (from a webinterface) the terminal where the process runs under will ask for the password of the user. This shouldn't be asked and should automatically connect with with sudo rights.

    os.system("chmod +x " + pathInstallScript)
    os.chdir(installerLocation)
    #The problem happens here.
    subprocess.call(['sudo','./'+ self.file_to_execute])

The subprocess.call works fine. It will find the path and starts but then the sudo kicks in. The sudo call will ask for the user its password before it continues. When I manually enter the password in the terminal everything will work fine but I have to by-pass this. What I've tried:

    cmd = ['sudo', './'+ self.file_to_execute]
    proc = subprocess.Popen(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
    proc.stdin.write('MyPassword\n')
    proc.stdin.flush()

But that doesn't seem to pass the password in. My second attempt:

proc = subprocess.Popen(
['sudo','./'+ self.odoo_username],
        stdin=subprocess.PIPE)
proc.stdin.write('odoo\n')
proc.stdin.close()
proc.wait()

But no succcess either. So how can I pass the password within this call so I don't have to manually authenticate?

Note: I do know that placing user password in files is not secure and frowned up on. In the next step my password will be provided from the database and won't be up for grabs in any single way!

Jamie Bull
  • 12,889
  • 15
  • 77
  • 116
Yenthe
  • 2,313
  • 5
  • 26
  • 46
  • 3
    have you considered enabling password-less sudo for the relevant user? – scytale Aug 21 '15 at 10:08
  • @scytale yes I have thought about that but I'd really rather not. This application has to work on multiple systems out of the box and that wouldn't be the case with password-less sudo since it would have to be configured. Plus security wise I don't really like it either. – Yenthe Aug 21 '15 at 10:10
  • well you're going to be storing a password in a db that effectively gives root access to all these boxes so security is not exactly tight – scytale Aug 21 '15 at 10:19
  • The database and interface will be unaccessible for any user and there is only one way in to the system from where you could execute the script. The rest of the system is blocked out for this user so I don't think it would give too many security problems than? – Yenthe Aug 21 '15 at 10:23
  • basically either way if an attacker gets into this user account they have root - it's just a question of if they need to query the db to get the password for sudo. – scytale Aug 21 '15 at 10:27
  • 1
    I guess you should be able to find your answer here?: http://stackoverflow.com/questions/13045593/using-sudo-with-python-script – Igor Aug 21 '15 at 10:30
  • No @Igor ! unencrypted files are not maintained a password – dsgdfg Aug 21 '15 at 10:31
  • @Yenthe, it has roughly the same security problem of having the password in a file, which can also be given permission to only be accessed by that user. Furthermore, the user who has access to `file_to_execute` essentially has root access too, without even needing the password. I agree with scytale, you could solve the problem by using sudo, passwordless for that user and preferably limited to a single command, not writable by the user and that doesn't write to arbitrary files. – Paulo Almeida Aug 21 '15 at 10:33
  • @scytale you have a point there, although it makes it a little bit harder. Paulo Almeida and scytale the main problem is that this application should be a one-click install and nothing should have to be configured. Which wouldn't be the case when adding password-less rules. I couldn't even automate those in the install. – Yenthe Aug 21 '15 at 10:36
  • does the "1 click install" require root priviliges? – scytale Aug 21 '15 at 10:39
  • and will each machine the script is installed on use the same user - and will the password for that user be the same? – scytale Aug 21 '15 at 10:40
  • _Something_ has to be configured for it to work as you want it to. That user has sudo privileges, which have to be configured. Maybe it's a standard user account in your organization, but the rest of the necessary configuration could also be standardized when you install new machines. – Paulo Almeida Aug 21 '15 at 10:42
  • @scytale the application will not need root access. It only needs sudo rights for the user where the application runs under (to execute the shell with sudo). The username and password will always be different on every device. – Yenthe Aug 21 '15 at 10:42
  • so you're going to store the username/password for multiple accounts on multiple devices in your db? – scytale Aug 21 '15 at 10:43
  • and how are those accounts going to be given sudo? that will already be in place before your application is installed? or you will have to configure that somehow? – scytale Aug 21 '15 at 10:44
  • The account that runs the application will always have sudo rights in place, by default. Every application will be on its own server with its own username, password and database. So everything is 100% seperated. The only thing that needs to work is to execute a shell with sudo and then everything is working fine. – Yenthe Aug 21 '15 at 10:46
  • @Igor I did find that post before and tried a few ways but none of them work either. – Yenthe Aug 21 '15 at 10:50
  • Actually I made a fault in one of the solutions from that question. Let me give this another try! I will post back soon. – Yenthe Aug 21 '15 at 10:52
  • this sounds like a potential security disaster. there is probably a much better way to do what you need to do. – scytale Aug 21 '15 at 10:57
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/87579/discussion-between-yenthe-and-scytale). – Yenthe Aug 21 '15 at 10:58

0 Answers0