pexpect with apache

Hi all. I try not to post until I am stuck in hole with no way out. I
fought with this for several hours, and am currently in the hole.

I'm doing a proof of concept for creating afp shares dynamically
through a web interface from a client machine. I use a bit of php to
setup a simple form, and then have the php execute my python script on
the server. The python script tries to 'su' to root to create the
share, create dirs, set perms, etc

The python script alone works fine as 'www'. I can become 'www', run
it from the command line and the share is made. But when I try to have
the web server execute it, I continually get a password failure. I'm
positive the password is correct.

Any ideas?

~Sean D

~~~~~~~~~~~test.py
#! /usr/bin/env python

import commands, os, P, pexpect

sharename = sys.argv[1]

root = "/Users/Shared"
sharepath = os.path.join(root, sharename)
password = P.P()

COMMAND_PROMPT = '[$%#]'
child = pexpect.spawn('su')
i = child.expect([pexpect.TIMEOUT, '[Pp]assword:'], timeout=1)
child.sendline(password.Decrypt(password.sean))

i = child.expect (['su: Sorry', COMMAND_PROMPT])

if i == 0:
print 'Password not accepted'
sys.exit(1)
else:
print "Making dir: %s" % sharepath
child.sendline("mkdir %s" % sharepath)
i = child.expect([pexpect.TIMEOUT, COMMAND_PROMPT] ,timeout=1)
print "Setting group to 'audio'"
child.sendline("chgrp audio %s" % sharepath)
i = child.expect([pexpect.TIMEOUT, COMMAND_PROMPT] ,timeout=1)
print "setting owner to 'audio01'"
child.sendline("chown audio01 %s" % sharepath)
i = child.expect([pexpect.TIMEOUT, COMMAND_PROMPT] ,timeout=1)
print "Opening permissions"
child.sendline("chmod 777 %s" % sharepath)
i = child.expect([pexpect.TIMEOUT, COMMAND_PROMPT] ,timeout=1)
print "sharing -a %s -s 100" % sharepath
child.sendline("sharing -a %s -s 100" % sharepath)
i = child.expect([pexpect.TIMEOUT, COMMAND_PROMPT] ,timeout=1)
sys.exit(0)

~~~~~~~~~~~test.php
<html>
<body>
<?php

if (isset($_GET['sharename'])) {
$last_line = system("/Users/Shared/test.py {$_GET['sharename']}",
$retval);
if ($retval == 0) {
echo "<br><h2>Mount afp://xxx.xxx.xxx.xxx/{$_GET['sharename']}</h2>";
} else {
echo "<br><h2>Failed creating share!</h2>";
}
} else {

echo "<form action='test.php'>";
echo "<table>";
echo "<td>Name of share:</td><td><input type='text'
name='sharename'></td>";
echo "</table></form>";
}

?>
</body>
</html>

tu su to root, but for it to work, i think (Totally unsure about that)
www has to be in group wheel to be able to su.

Well, first i don't think it is a good idea to have the python script
tu su to root, but for it to work, i think (Totally unsure about that)
www has to be in group wheel to be able to su.

Maybe sudo can help here.

Sudo is probably the best solution here, since in the file sudo.conf
you could restrict the www user only to the python script that requires
it.

Also, using either sudo or the setuid flag would remove the need of
pexpect since all the commands will be run as the designated user.

for setuid flag:
chmod u+s pythonScript.py
chown root pythonScript.py

for the sudo solution, add an entry to /etc/sudo.conf or /etc/sudoers ,
depending on distro:
the syntax for a line in sudo.conf is:
user hostlist = (userlist) commandlist

so you might want to add:
www localhost = NOPASSWD: /var/www/htdocs/pythonScript.py

note:
Replace the /var/www/htdocs/pythonScript.py with the path to where
your script is
the NOPASSWD: is a flag that tells sudo that no password is
required

Lee Harr wrote:

Well, first i don't think it is a good idea to have the python script
tu su to root, but for it to work, i think (Totally unsure about that)
www has to be in group wheel to be able to su.

Maybe sudo can help here.

Since it wont require pyexpect, and based on the operations you
accomplish with your python script, maybe that a bash script instead of
a python one might be the best tool for the job you're trying to
accomplish.
martdi wrote:

Sudo is probably the best solution here, since in the file sudo.conf
you could restrict the www user only to the python script that requires
it.

Also, using either sudo or the setuid flag would remove the need of
pexpect since all the commands will be run as the designated user.

for setuid flag:
chmod u+s pythonScript.py
chown root pythonScript.py

for the sudo solution, add an entry to /etc/sudo.conf or /etc/sudoers ,
depending on distro:
the syntax for a line in sudo.conf is:
user hostlist = (userlist) commandlist

so you might want to add:
www localhost = NOPASSWD: /var/www/htdocs/pythonScript.py

note:
Replace the /var/www/htdocs/pythonScript.py with the path to where
your script is
the NOPASSWD: is a flag that tells sudo that no password is
required

Lee Harr wrote:

Well, first i don't think it is a good idea to have the python script
tu su to root, but for it to work, i think (Totally unsure about that)
www has to be in group wheel to be able to su.
>
>
Maybe sudo can help here.