1

I can't run firefox from a sudoed python script that drops privileges to normal user. If i write

# sudo python
>>> import os
>>> import pwd, grp
>>> uid = pwd.getpwnam('norby')[2]
>>> gid = grp.getgrnam('norby')[2]
>>> os.setegid(gid)
>>> os.seteuid(uid)
>>> import webbrowser
>>> webbrowser.get('firefox').open('www.google.it')
True
>>> # It returns true but doesn't work
>>> from subprocess import Popen,PIPE
>>> p = Popen('firefox www.google.it', shell=True,stdout=PIPE,stderr=PIPE)
>>> # Doesn't execute the command

I think that is not a python problem, but firefox/iceweasel/debian configuration problem. Maybe firefox read only UID and not EUID, and doesn't execute process because UID is equal 0. What do you think about?

Emilio
  • 55
  • 1
  • 13
  • But why are you trying to write a python script to be ran as root to do this. What is the objective? – theotherreceive Jul 15 '09 at 20:27
  • The script works with network in a low level layer, so it must run as root. I think there is nothing wrong to drop privileges in the right way, and then execute firefox. But it doesn't works. – Emilio Jul 15 '09 at 20:39
  • Does Python's `Popen` work with gui programs? Perhaps the problem is not where you think it is. – Telemachus Jul 15 '09 at 20:55
  • Firefox will run as root, so the concern you have in the last part of your question isn't the issue. – Avery Payne Jul 15 '09 at 20:56
  • Is it a problem if I cross post it on stackoverflow? – Emilio Jul 15 '09 at 22:01

6 Answers6

1

The problem is it can't access the display on the X server, is it running? I wouldn't recommend running firefox with root permissions, that'd be like running IE on a windows box.

You said in a comment that you was launching it in a lower run level. The error is because you're launching firefox in that lower level before X comes up with an active display. Delay it's running until X is up.

Malfist
  • 807
  • 3
  • 10
  • 22
1

You have to export environment variable named DISPLAY with value ':0.0'. That might make it work. Ask on stackoverflow if you don't know how to export environment variables using python.

Saurabh Barjatiya
  • 4,703
  • 2
  • 30
  • 34
0

You really really shouldn't do this. Like, really.

Why are you trying to?

theotherreceive
  • 8,365
  • 1
  • 31
  • 44
0

I'd guess, you'll have to specify an X-server. I'm afraid I have no idea how to actually do that in python though :-)

Cian
  • 5,838
  • 1
  • 28
  • 40
0

First, you would normally want to use gksu or gksudo or sux to get root privileges for an X application. Second, why are you using sudo on Debian? (I mean is sudo even enabled? It's not by default on Debian, as opposed to Ubuntu or OS X.) Third, I can't think of any circumstance where you actually need to run a browser with root privileges.

There are cases when you need a gui application as root - say, you want to edit a system file (/etc/network/interfaces for example), and you're most comfortable editing with gedit. That's not an unreasonable thing to want to do. But you would want to use gksu or a similar utility to transfer the privileges.

Telemachus
  • 571
  • 2
  • 11
  • yes, sudo is enabled, but no one is a sudoer – Malfist Jul 15 '09 at 20:28
  • @Malfist: 6 of one; half-dozen of the other. I take your point, but since in fact many Debian users don't install the Desktop task at all, `sudo` is often not even installed. Nevertheless, I grant that if you install the Gnome (or KDE or XFCE, I suppose) packages, then `sudo` gets installed. It's still not the right tool to get gui privileges. – Telemachus Jul 15 '09 at 20:31
  • Sudo is installed in debian system. I have to execute a browser from a python script that must run as root. I'm only trying to drop privilege and run the browser. Nothing dangerous. – Emilio Jul 15 '09 at 20:32
  • @Emilio: First, the whole Python script-which-must-be-root -> Firefox idea _still_ sounds like a bad idea. Second, are you sure that your regular user is in the `sudoers` file? Again, Debian is _not_ Ubuntu. Even if you run Gnome, I don't think that regular users are automatically added to the list of users who can run `sudo`. I believe that out of the box in Debian only root can. – Telemachus Jul 15 '09 at 20:34
  • Sudo is not the problem (the user will execute the program as he want, with sudo, gtksudo, kdesudo, etc.), but the problem is that the browser don't works even if i drop privileges in the right way.. – Emilio Jul 15 '09 at 20:37
  • sudo is installed without the a windowing system. The Debian box I've been working on is a server and it doesn't have X. – Malfist Jul 15 '09 at 20:37
  • @Malfist: I'm not sure what it's a dependency of then. If you install Debian selecting _only_ the Standard task from the Tasksel menu in the installer, `sudo` is not installed. See here for the list of packages in the Standard task. When I run `aptitude why sudo`, I can track back and see that the only reason I have it installed is that I installed `pcmanfm`, which recommends `gksu` which requires `sudo`. – Telemachus Jul 15 '09 at 20:51
  • Is not a sudo problem =) I want only to execute firefox after dropping privileges. – Emilio Jul 15 '09 at 20:52
  • Oops: I forgot the link to the list of packages: http://wiki.debian.org/tasksel – Telemachus Jul 15 '09 at 20:52
  • @Emilio: that's fine, but now I'm in a debate because "someone is _wrong_ on the internet." http://xkcd.com/386/ – Telemachus Jul 15 '09 at 20:54
  • @Tele: ahahha ok =) – Emilio Jul 15 '09 at 20:54
0

I use sux.

  1. apt-get installl sux
  2. sux firefox

Description: wrapper around su which will transfer your X credentials Sux is a wrapper around the standard su command which will transfer your X credentials to the target user.

Yordan
  • 106
  • 3
  • I prefer to find a solution not based on what *su program is used, but to try to run firefox from the script executed by root, but with dropped privileges – Emilio Jul 15 '09 at 20:47