0

I am working on a python project which involves running some of the sudo commands. In the project, I have to run, systemctl commands to get the status of running services. For this I have below code:

cmd = "sudo service mongodb status > " + status_logs
subprocess.call(cmd, shell=True)
cmd = "grep \'" + search_tag + "\' " + status_logs
status_string = str(subprocess.check_output(cmd, shell=True))

start = status_string.index(":") + len(":")
end = status_string.index(')', start)
status = status_string[start:end]
status = status + ")"
status = status.replace(" ", "")

If I run above code as sudo python3 app.py then I am getting proper response as active(running) or inactive(dead). But I need to run the code without sudo i.e. python3 app.py.

In this case, it keeps on asking the password of the current user in terminal. How can I remove this and proceed further. Please help. Thanks.

Contents of /etc/sudoers

#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin: /usr/bin:/sbin:/bin:/snap/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d
S Andrew
  • 5,592
  • 27
  • 115
  • 237
  • 1
    Use the `NOPASSWD` option in `/etc/sudoers`. Type `man sudoers` for details, and remember to use `visudo` to edit the sudoers file. – alani Sep 29 '20 at 08:04
  • @alani Where exactly in the file, I have to mention `NOPASSWD`. Is there any way to do it directly from the python – S Andrew Sep 29 '20 at 08:17

1 Answers1

1

@alani comment on OP is good, specifically I would try to clamp down as much as possible so that issues with your program do not have disasterous consequences. For example, if you program will be running under the group mongo_checkers, something like this would enable it do check the status only:

%mongo_checkers ALL= NOPASSWD: /usr/sbin/service mongodb status

This should be relatively harmless.

[edit: as per @alani comment on this answer, have specified full path to service. ty!]

w08r
  • 1,639
  • 13
  • 14
  • I have updated the content of file `/etc/sudoers`. Can you please tell me where I should mention NOPASSWD.? – S Andrew Sep 29 '20 at 08:21
  • As per the answer, should work (not tested) – w08r Sep 29 '20 at 08:22
  • 1
    @SAndrew This answer tells you exactly where you should mention it. And is the sort of thing I had in mind -- I wasn't suggesting using NOPASSWD for everything. I would go a step further and put the whole path to `service` here, i.e. `/usr/sbin/service`. – alani Sep 29 '20 at 08:24
  • Apologies but still I am unable to understand. What I have done is that in `/etc/sudoers` file I have done `%sudo ALL=(ALL) NOPASSWD: ALL` which I think has removed the password option, so my issue is kind of resolved. But I am still confused about where I should run the command mentioned in answer. Should I replace it with `sudo systemctl ` command I have in python code. What does `%mongo_checkers` means and what should I use in place of it.? – S Andrew Sep 29 '20 at 08:34
  • 1
    @SAndrew I would suggest to read the man page, its never a good idea to blindly configure sudo access or passwordless commands if you dont fully understand whats happening. – Chris Doyle Sep 29 '20 at 08:58
  • The command in sudoers needs to match the command you wish to run with escalated privileges. The value in the left most column (in my example mongo_checkers, in your example sudo) is the *group* name that that line applies to. I would be wary about adding your python program to the sudo group. Try to consider the principle of least privileges. Allow your program to do what is necessary but no more. – w08r Sep 29 '20 at 08:58