1

I have a python script which is performing some nagios configuration. The script is running as a user which has full sudo rights (the user can run any command with sudo, without password prompt). The final step in the configuration is this:

open(NAGIOS_COMMAND_FILE, 'a').write(cmdline)

The NAGIOS_COMMAND_FILE is only writable by root, so this command should be run by root. I can think of two ways of achieving this (both unsatisfactory):

  1. Run the whole script as root. I do not like doing this, since any error in my script will be executed with full root rights.
  2. Put the open(NAGIOS_COMMAND_FILE, 'a').write(cmdline) command in a separate script, and use the subprocess library to call that script, with sudo. I do not like creating an extra script just to run a single command.

I suppose there is no way of changing the running user just for a single command, in my current script, or am I wrong?

blueFast
  • 41,341
  • 63
  • 198
  • 344

4 Answers4

1

Why don't you give write permission on NAGIOS_COMMAND_FILE to your user who have all sudo rights?

Pablo Claus
  • 5,886
  • 3
  • 29
  • 38
Y__
  • 1,687
  • 2
  • 11
  • 23
  • That is another option, but I do not like to make random ownership changes in the system configuration files, since this is difficult to keep track of / reproduce (My goal is to be able to replicate my infraestructure easily to other servers). If it is not possible to change the running user for just a single command, then I would prefer to run the whole script as root, instead of changing the file owner. – blueFast Aug 13 '12 at 10:37
  • Otherwise, you may write your configuration in a temporary file and then use `pexpect` to move it at the right location as root user. But it may involve writing the password in a plain file... – Y__ Aug 13 '12 at 10:50
0

Never, ever run a web server as root or as a user with full sudo privileges. This isn't a pythonic thing, it is a "keep my server from being pwned" thing.

Look at os.seteuid, the "principle of least privilege", and man sudoers and run your server as regular "httpd-server" where "httpd-server" has sudoer permission to write to NAGIOS_COMMAND_FILE. And then be sure that what you write to the command file is as clean as you can make it.

msw
  • 42,753
  • 9
  • 87
  • 112
0

It is actually possible to change user for a single command. Fabric provides a way to log in as any user to a server. It relies on ssh connections I believe. So you could connect to localhost with a different user in your python script and execute the desired command.

http://docs.fabfile.org/en/1.4.3/api/core/decorators.html

Anyway, as others have already precised, it is best to allow the user running the script permission to execute this one command and avoid relying on root for execution.

Nicolas Barbey
  • 6,639
  • 4
  • 28
  • 34
0

I would agree with the post above, either give your user write perms to the NAGIOS_COMMAND_FILE or add that use to a group that has those permissions, like nagcmd.

Michael Guthrie
  • 512
  • 1
  • 4
  • 11