0

I have created a web app in python3 which is hosted on an apache2 web server using the WSGI module. Now one of the requirements of the web application is that it needs to restart a systemd service based on some user inputs. Now I know there is os library in python that can help me but as my web application is running as user www-data, the commands are executed by www-data which is not allowed to start or stop systemd services. After some research, I found we can accomplish that by editing sudoers file but I am still not sure if www-data should be given sudoers permission or not.

What would be the best way to accomplish this? and what security measures will I have to keep in mind as this would go on a live production environment.

Service which needs to be controlled is a custom made service:

sudo systemctl restart kodi.service

The platform is Ubuntu 18.04 and the web server used is apache2.

Wouter
  • 131
  • 1
  • 8
DG12
  • 1
  • 1

1 Answers1

0

You are right about adding the user to the sudoers file, but you can do that on a more granular why. Follow the instructions on this issue:

https://unix.stackexchange.com/questions/192706/how-could-we-allow-non-root-users-to-control-a-system-d-service

The user then has all the privileges needed for this single command; not systemd in general. This opposes the minimal security threat to your system in production and only on your own service.

OYPS
  • 68
  • 1
  • 7
  • But its just not any user, its the apache user which is more vulnerable to security risks. Will there by any security loopholes left if I assign the www-data user permission to restart my service? – DG12 Apr 03 '20 at 21:14
  • You are granting the Apache user full control over your own service. You have to keep that in mind. For the rest of the system, the user has the same privilege than before. In my opinion, this only opposes a loophole to your own service. So the user input could start the service with malicious arguments for example – OYPS Apr 03 '20 at 21:17
  • @DG12 did you solve your issue? – OYPS Apr 06 '20 at 11:24
  • Your suggested answer is correct, I am not denying that and I have been using this technique only but I still am not sure if this is the best way. I mean there are a lot of web application which must be controlling linux system services through web user, so do they use the same method or there is some better method to accomplish the same?? – DG12 Apr 08 '20 at 21:14