1

I have a question, I'd like to run below example but with non root users

import os
os.listdir(/home/XYZ/)

OR

spath= /home/XYZ
import os
for roots, dirs, file in os.walk(spath)
      for file in files
        print ("file  = %s" %file)

I know it will work if i am a root user but in case i am using sudo what the proper command to be user in this situation

As i know so far it's not correct if i type something like -- os.listdir("sudo /home/XYZ")

Thanks Cheers

kuro
  • 3,214
  • 3
  • 15
  • 31
Mohamed Nour
  • 11
  • 1
  • 2
  • The proper command is to use Python itself with `sudo`, like this: `sudo python file.py`. – ForceBru May 11 '17 at 13:27
  • when i do that it's required password, i am asking if there any solution to be embedded into the code. – Mohamed Nour May 11 '17 at 13:49
  • Take a look here.. [http://stackoverflow.com/questions/13045593/using-sudo-with-python-script](http://stackoverflow.com/questions/13045593/using-sudo-with-python-script) – Flinkas May 11 '17 at 14:17

3 Answers3

1

These are all valid but they all require elevating privileges well beyond what is required. Executing the whole script with sudo while is the easiest is also a significant risk especially if it listens on any ports for incoming requests/hooks. Using the sudoers allowing all commands with or without sudo password again comes with unnecessary risk.

However we have a third option to spawn a subprocess with elevated privileges which could then be limited to allow just the required commands (for example giving it access to mkdir but not rm, cp, dd, mysqldump, mailx, etc. It treads the line of both worlds and elevates only what really needs to be. Now you should be careful with this as allowing say the rm command regardless of the arguments (recursive, permissions, etc) but even still this is still safer than executing the whole script/application with full root with access to everything.

The python code:

import subprocess
cmd = 'some_command_such_as_ln_or_mkdir'
subprocess.run(cmd, stdin=True, shell=True)

This allows running just the subprocess with sudo in a shell which accepts input from stdin so sudo can prompt for a password. If you are doing this in a automated process you can configure the sudoers to allow you to only run the min required commands without password. You should still be cautious with this but it at least is the most sane solution I have found.

The /etc/sudoers.d/$MY_USER_OR_PROGRAM_NAME should look something like this:

$USER_PROGRAM_EXECECUTED_BY ALL = ($USER_TO_RUN_ELEVATED_COMMAND_AS) NOPASSWD: $ABSOLUTE_PATH_TO_SOME_COMMAND_SUCH_AS_LN_OR_MKDIR, $ANOTHER_ABSOLUTE_PATH_TO_SOME__OTHER_COMMAND

While you might be forced to set ($USER_TO_RUN_ELEVATED_COMMAND_AS) as (root) depending on your use case you should first with a more limited user. If say you need to create a directory in a directory owned and grouped by root you will need this. If say you are creating a dir in say /var/log/ and it is is owned or grouped by a user/group to allow shipping the logs to another system without needing root then you can leverage that user instead.

If you are expecting any user input that gives you even a part of the command you should be careful and look at something like shlex for preventing shell injections: https://docs.python.org/3.5/library/shlex.html#shlex.quote

Also one last note if you do not need to read in passwords from stdin (never used interactively) then you can probably remove the stdin=True.

Ben Abrams
  • 11
  • 2
0

I would do it this way, because ideally one shouldn't mess with hard coded passwords

First, edit your sudoers

sudo visudo

Then add a line like this

username ALL = NOPASSWD:/path/to/your/script.py

Then make sure your script has this at the top (to make python execute)

#!/usr/bin/python

Make sure your script is set to executable

sudo chown +x /path/to/your/script.py

Finally, to run the script do.

sudo /path/to/your/script.py

Then it will run the script with sudoers permissions. Be careful, as anything in the script will run as though root.

So the script should look something like:

   #!/usr/bin/python
   import os                  

   spath="/root"
   for roots, dirs, files in os.walk(spath):
       for file in files:     
           print "file = {}".format(file)
Nertskull
  • 491
  • 6
  • 20
0

If you want to start your script as root from any users I see two easy ways.

You can make them use the sudo command without giving them the right to execute everything as root. For example you can edit the sudoers file (/etc/sudoers) to allow them to become root, but only for this script.

username ALL = (root) NOPASSWD: /path/to/your/script

Or allow a group of users to execute it as root with sudo :

%groupname ALL = (root) NOPASSWD: /path/to/your/script

Your users will only have to do :

sudo path/to/python/script.py

The second way is to use the sticky bit. You may want to take a look at this post This way of doing is a little more user-friendly because you don't have to add "sudo" before each command.

In both case, you are giving root acces, be careful with your script and DO NOT ALLOW USER TO MODIFY IT. If a user is able to modify your script, he can execute any command as root, and it's something you don't want to happen on your machine.

hugoShaka
  • 4,977
  • 3
  • 17
  • 29