I have a daemon written in python that runs as root and listens for "command codes" on a memory queue. Each "command code" is mapped (statically) to a real command that the script executes (as root) when the corresponding code arrives through the queue. This is done to ease the task of running things that requires root from non-root processes (like apache), without having to mess with dirty hacks.
Example:
- command code:
dump-db - command:
mysqldump -u root -p --all-databases > alldb.sql
This works, and as far as I know is safe (meaning that no unprivileged user is able to execute anything outside of the specific pre-defined commands as root). Now I'd like to allow passing one or more parameter along with the command codes:
- command code:
dump-dbcommand params:[first, second] - command (template):
some_script --some_par --first_par {0} --second_par {1}command (final version with params):some_script --some_par --first_par first --second_par second
Python code will be like:
cmd = template.format(params)
cmd_expl = shlex.split(cmd)
subprocess.check_output(cmd_expl)
I know that there could be serious risks in doing it with Shell=true (see https://stackoverflow.com/a/29023432/1044560). Is it safe with Shell=false? Can that be exploited too?
