1

I need to write a small wsgi app for manipulating iptables. I use nginx + uwsgi on Debian with python-iptables package.

uwsgi runs as www-data user by default, so if I try to access iptables from my app I got iptc.ip4tc.IPTCError: can't initialize filter: Permission denied (you must be root).

Is there any workaround to this problem except running the whole wsgi app as root? And what should I do if I want to integrate my app with Django (I definitely don't want run all Django stuff as root)?

Denis Mokhov
  • 73
  • 8

1 Answers1

0

You could try to exctract all the functionality which needs superuser privileges into separate script (for example script.py) owned by root (chown root script.py), allow exectution of it (chmod u+x script.py), then set setuid to allow execution rights on that file with root permissions to other users (chmod u+s script.py).

Then you should be able to call that script from your wsgi application using subprocess and www-data privileges.

Bunyk
  • 7,635
  • 8
  • 47
  • 79