473,883 Members | 1,767 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

How do I add users using Python scripts on a Linux machine

How do I add users using Python scripts on a Linux machine?

Someone has a script?

Jan 1 '07
20 18896
Carsten Haese <ca*****@uniqsy s.comtyped
On Tue, 2007-01-02 at 17:17 +0100, Sebastian 'lunar' Wiesner wrote:
>Ravi Teja <we*********@gm ail.comtyped
>
Ivan Voras wrote:
Ramdas wrote:
Well,

I need to add users from a web interface for a web server, which
runs only Python. I need to add users, set quotas and in future
even look at managing ip tables to limit bandwidth.

I know os.system(), but this has to be done through a form entry
through a web interface.

Anyways thanks, do advise if there more pythonic solutions

What you're looking for is actually a pretty complex thing. You
*could* in theory manage /etc/passwd (and its "shadow" file) - you
can find crypto primitives like MD5 and DES on the 'net, but note
that you must run your script under the 'root' account in order to
write (and even read!) the passwd database. The same goes for
using os.system and the built-in OS utility. Be aware of security
implications if you're running your web server under the root
account.

How about invoking scripts with SUID root set?

Linux seems to ignore SUID bit on scripts:

I don't think that that has anything to do with Linux or not. The
script is not the actual executable, hence its suid bit is irrelevant.
I don't think so. From what I know, the script is passed as executable
to the kernel loader, which interprets the shebang and feeds the script
through the correct interpreter. So the kernel loader sees the script
itself as executable instead of the interpreter binary. I've heard of
other Unix systems, which handle this differently (meaning that the
SUID bit on scripts has an effect), but I may be wrong.
You'd have to set the suid bit on the python executable, but that
would affect all python scripts, which is probably bad.
It _is_ bad!

--
Freedom is always the freedom of dissenters.
(Rosa Luxemburg)
Jan 2 '07 #11
>>>>Sebastian 'lunar' Wiesner <ba***********@ gmx.net(SW) wrote:
>SWLinux seems to ignore SUID bit on scripts:
The reason is that obeying SUID bits on scripts would be a security risk.
--
Piet van Oostrum <pi**@cs.uu.n l>
URL: http://www.cs.uu.nl/~piet [PGP 8DAE142BE17999C 4]
Private email: pi**@vanoostrum .org
Jan 2 '07 #12
"Ramdas" <ra****@gmail.c omwrote:
>
I need to add users from a web interface for a web server, which runs
only Python. I need to add users, set quotas and in future even look at
managing ip tables to limit bandwidth.

I know os.system(), but this has to be done through a form entry
through a web interface.

Anyways thanks, do advise if there more pythonic solutions
os.system is perfectly Pythonic, and can be executed from a CGI script. The
challenge is becoming root, which is necessary to do what you ask. You can
write a simple C program that is setuid root that calls your script for
you.
--
Tim Roberts, ti**@probo.com
Providenza & Boekelheide, Inc.
Jan 3 '07 #13
Piet van Oostrum <pi**@cs.uu.nlt yped
>>>>>Sebastia n 'lunar' Wiesner <ba***********@ gmx.net(SW) wrote:
>>SWLinux seems to ignore SUID bit on scripts:

The reason is that obeying SUID bits on scripts would be a security
risk.
I don't see a problem with SUID on scripts. If you restrict write access
to the owner, modification is hardly possible.
However, if you allow world-wide write access to your binaries and
scripts, both can easily be modified...

--
Freedom is always the freedom of dissenters.
(Rosa Luxemburg)
Jan 3 '07 #14
Sebastian 'lunar' Wiesner wrote:
Carsten Haese <ca*****@uniqsy s.comtyped
>I don't think that that has anything to do with Linux or not. The
script is not the actual executable, hence its suid bit is irrelevant.

I don't think so. From what I know, the script is passed as executable
to the kernel loader, which interprets the shebang and feeds the script
through the correct interpreter. So the kernel loader sees the script
itself as executable instead of the interpreter binary. I've heard of
other Unix systems, which handle this differently (meaning that the
SUID bit on scripts has an effect), but I may be wrong.
Yes, the kernel parses #! but the suid-ness is still controlled by the
target interpreter (i.e. python executable). At least BSD systems also
behave this way.
Jan 3 '07 #15
[ Ivan Voras <iv****@fer.h r]
Sebastian 'lunar' Wiesner wrote:
>Carsten Haese <ca*****@uniqsy s.comtyped
>>I don't think that that has anything to do with Linux or not. The
script is not the actual executable, hence its suid bit is
irrelevant.

I don't think so. From what I know, the script is passed as
executable to the kernel loader, which interprets the shebang and
feeds the script through the correct interpreter. So the kernel
loader sees the script itself as executable instead of the
interpreter binary. I've heard of other Unix systems, which handle
this differently (meaning that the SUID bit on scripts has an
effect), but I may be wrong.

Yes, the kernel parses #! but the suid-ness is still controlled by the
target interpreter (i.e. python executable). At least BSD systems also
behave this way.
I don't think, that the interpreter controls SUID-ness. Privileges are
always handled by the kernel. At least the kernel needs to agree, when
a normal user wants to execute a SUID scripts.

--
Freedom is always the freedom of dissenters.
(Rosa Luxemburg)
Jan 3 '07 #16
I find that I can often live with a 0-60 sec. pause. and set command in
a queue like
then have a cron that runs once a min as the user you need to run this
on
that looks at the queue and sees if there are any pending

I often use a sql database for this

Jan 4 '07 #17
>>>>Sebastian 'lunar' Wiesner <ba***********@ gmx.net(SW) wrote:
>SWI don't see a problem with SUID on scripts. If you restrict write access
SWto the owner, modification is hardly possible.
SWHowever, if you allow world-wide write access to your binaries and
SWscripts, both can easily be modified...
The scenario is as follows: Suppose the script starts with the line:
#!/usr/bin/python

(using #!/usr/bin/env python would be disastrous because the user could
supply his own `python interpreter' in his PATH.)

Now a malicious user can make a link to this file in his own directory,
e.g. to /Users/eve/myscript1. Because permissions are part of the file
(inode), not of the file name, this one is also suid.

Now she execs /Users/eve/myscript1. The kernel, when honoring suid scripts,
would startup python with effective uid root with the command line:
/usr/bin/env /Users/eve/myscript1

Now in another process eve changes the link /Users/eve/myscript1 to
point to another script /Users/eve/myscript2. If she manages to change the
link between the startup of the python executable and the interpreter
opening the file /Users/eve/myscript1, she has her own script running as
root.

Of course the timing is a bit critical but if you try often enough some
time it will succeed. The problem is the time window between starting the
executable and opening the script. There is no guarantee that the file will
be the same. It can only be made safe if interpreters can be passed inodes
or opened files by the kernel, but that is not how most interpreters work.
At least not python.
--
Piet van Oostrum <pi**@cs.uu.n l>
URL: http://www.cs.uu.nl/~piet [PGP 8DAE142BE17999C 4]
Private email: pi**@vanoostrum .org
Jan 4 '07 #18
In message <m2************ @ordesa.cs.uu.n l>, Piet van Oostrum wrote:
The scenario is as follows: Suppose the script starts with the line:
#!/usr/bin/python

(using #!/usr/bin/env python would be disastrous because the user could
supply his own `python interpreter' in his PATH.)

Now a malicious user can make a link to this file in his own directory,
e.g. to /Users/eve/myscript1. Because permissions are part of the file
(inode), not of the file name, this one is also suid.

Now she execs /Users/eve/myscript1. The kernel, when honoring suid
scripts, would startup python with effective uid root with the command
line: /usr/bin/env /Users/eve/myscript1
No it wouldn't. This security hole was fixed years ago.

Jan 5 '07 #19
>>>>Lawrence D'Oliveiro <ld*@geek-central.gen.new _zealand(LD) wrote:
>LDNo it wouldn't. This security hole was fixed years ago.
How?
--
Piet van Oostrum <pi**@cs.uu.n l>
URL: http://www.cs.uu.nl/~piet [PGP 8DAE142BE17999C 4]
Private email: pi**@vanoostrum .org
Jan 6 '07 #20

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

13
4039
by: Peter Mutsaers | last post by:
Hello, Up to now I mostly wrote simple filter scripts in Perl, e.g. while(<>) { # do something with $_, regexp matching, replacements etc. print; } Now I learned Python and like it much more as a language.
0
2151
by: Maneesh | last post by:
Hi, I want to connect to a remote MS SQL Server 2000 database through my Fedora Core 2 machine via Python scripts. I have successfully installed freetds & unixODBC and can now connect to the desired DB through tsql(freetds) & isql(unixODBC). I installed mxODBC (RPM & source) to be able to connect to the DB via Python scripts without any success. The code(db3.py) under test is as follows: ----------------------------------------------
7
3214
by: Edward Diener | last post by:
I can install Python 2.4 on the Fedora 3 Linux system, but after I do a number of Linux utilities and commands, like yum, stop working because they were dependent on the Python 2.3 installation. What happens is that Python 2.4 replaces the /usr/bin/python module with the Python 2.4 version. If I replace /usr/bin/python with the Python 2.3 version executable, which is still on my system, that all the aforesaid modules depend on, they start...
5
4608
by: Maurice LING | last post by:
Hi, I've been using FB1.5 and access the database using Kinterbasdb + Python. My connection is established using kinterbasdb.connect() method and the parameters host, dns, database, user, password are all defaulted to 'None'. On my own machine running Mac OSX 10.3, I can connect using the following: host = 'localhost' database = '<my path to FB database>'
121
10260
by: typingcat | last post by:
First of all, I'm an Asian and I need to input Japanese, Korean and so on. I've tried many PHP IDEs today, but almost non of them supported Unicode (UTF-8) file. I've found that the only Unicode support IDEs are DreamWeaver 8 and Zend PHP Studio. DreamWeaver provides full support for Unicode. However, DreamWeaver is a web editor rather than a PHP IDE. It only supports basic IntelliSense (or code completion) and doesn't have anything...
29
16630
by: 63q2o4i02 | last post by:
Hi, I'm interested in using python to start writing a CAD program for electrical design. I just got done reading Steven Rubin's book, I've used "real" EDA tools, and I have an MSEE, so I know what I *want* at the end of this; I just have never taken on a programming task of this magnitude. I've seen that some are using python as a utility language for existing CAD environments, and I've also found some guy who's writing a 2d drafting...
1
1925
by: Ted | last post by:
I managed to get it installed OK, along side MS Visual Studio 2005 (with which I received it). During the install, I made sure I installed everything. I have developed a number of applications using MySQL v 5 and PostgreSQL, but I have not worked with MS SQL. Playing with it after installing it, and running through several tutorials, I generally like what I see, but there are a few issues (so far - I am sure others will crop up as...
16
3961
by: John Salerno | last post by:
Hi all. I just installed Ubuntu and I'm learning how to use the bash shell. Aside from the normal commands you can use, I was wondering if it's possible to use Python from the terminal instead of the normal bash commands (e.g. print instead of echo). My main reason for asking is that I like using Python for everything, and if I don't need to learn the bash 'language', then I won't just yet. Thanks.
34
3990
by: Ben Sizer | last post by:
I've installed several different versions of Python across several different versions of MS Windows, and not a single time was the Python directory or the Scripts subdirectory added to the PATH environment variable. Every time, I've had to go through and add this by hand, to have something resembling a usable Python installation. No such problems on Linux, whether it be Mandrake/Mandriva, Fedora Core, or Kubuntu. So why is the Windows...
0
9792
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
0
10745
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
1
10848
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
0
10417
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
1
7972
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
0
7130
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
0
5992
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
1
4614
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
3
3234
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.