By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
443,818 Members | 1,223 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 443,818 IT Pros & Developers. It's quick & easy.

pexpect with apache

P: n/a
Hi all. I try not to post until I am stuck in hole with no way out. I
fought with this for several hours, and am currently in the hole.

I'm doing a proof of concept for creating afp shares dynamically
through a web interface from a client machine. I use a bit of php to
setup a simple form, and then have the php execute my python script on
the server. The python script tries to 'su' to root to create the
share, create dirs, set perms, etc

The python script alone works fine as 'www'. I can become 'www', run
it from the command line and the share is made. But when I try to have
the web server execute it, I continually get a password failure. I'm
positive the password is correct.

Any ideas?

~Sean D

~~~~~~~~~~~test.py
#! /usr/bin/env python

import commands, os, P, pexpect

sharename = sys.argv[1]

root = "/Users/Shared"
sharepath = os.path.join(root, sharename)
password = P.P()

COMMAND_PROMPT = '[$%#]'
child = pexpect.spawn('su')
i = child.expect([pexpect.TIMEOUT, '[Pp]assword:'], timeout=1)
child.sendline(password.Decrypt(password.sean))

i = child.expect (['su: Sorry', COMMAND_PROMPT])

if i == 0:
print 'Password not accepted'
sys.exit(1)
else:
print "Making dir: %s" % sharepath
child.sendline("mkdir %s" % sharepath)
i = child.expect([pexpect.TIMEOUT, COMMAND_PROMPT] ,timeout=1)
print "Setting group to 'audio'"
child.sendline("chgrp audio %s" % sharepath)
i = child.expect([pexpect.TIMEOUT, COMMAND_PROMPT] ,timeout=1)
print "setting owner to 'audio01'"
child.sendline("chown audio01 %s" % sharepath)
i = child.expect([pexpect.TIMEOUT, COMMAND_PROMPT] ,timeout=1)
print "Opening permissions"
child.sendline("chmod 777 %s" % sharepath)
i = child.expect([pexpect.TIMEOUT, COMMAND_PROMPT] ,timeout=1)
print "sharing -a %s -s 100" % sharepath
child.sendline("sharing -a %s -s 100" % sharepath)
i = child.expect([pexpect.TIMEOUT, COMMAND_PROMPT] ,timeout=1)
sys.exit(0)

~~~~~~~~~~~test.php
<html>
<body>
<?php

if (isset($_GET['sharename'])) {
$last_line = system("/Users/Shared/test.py {$_GET['sharename']}",
$retval);
if ($retval == 0) {
echo "<br><h2>Mount afp://xxx.xxx.xxx.xxx/{$_GET['sharename']}</h2>";
} else {
echo "<br><h2>Failed creating share!</h2>";
}
} else {

echo "<form action='test.php'>";
echo "<table>";
echo "<td>Name of share:</td><td><input type='text'
name='sharename'></td>";
echo "</table></form>";
}

?>
</body>
</html>

Oct 18 '06 #1
Share this Question
Share on Google+
5 Replies


P: n/a
Well, first i don't think it is a good idea to have the python script
tu su to root, but for it to work, i think (Totally unsure about that)
www has to be in group wheel to be able to su.

An other way to make your script run as root is to set the setuid bit
on your python script to make it run as root, without using su.
ha**********@gmail.com wrote:
Hi all. I try not to post until I am stuck in hole with no way out. I
fought with this for several hours, and am currently in the hole.

I'm doing a proof of concept for creating afp shares dynamically
through a web interface from a client machine. I use a bit of php to
setup a simple form, and then have the php execute my python script on
the server. The python script tries to 'su' to root to create the
share, create dirs, set perms, etc

The python script alone works fine as 'www'. I can become 'www', run
it from the command line and the share is made. But when I try to have
the web server execute it, I continually get a password failure. I'm
positive the password is correct.

Any ideas?

~Sean D

~~~~~~~~~~~test.py
#! /usr/bin/env python

import commands, os, P, pexpect

sharename = sys.argv[1]

root = "/Users/Shared"
sharepath = os.path.join(root, sharename)
password = P.P()

COMMAND_PROMPT = '[$%#]'
child = pexpect.spawn('su')
i = child.expect([pexpect.TIMEOUT, '[Pp]assword:'], timeout=1)
child.sendline(password.Decrypt(password.sean))

i = child.expect (['su: Sorry', COMMAND_PROMPT])

if i == 0:
print 'Password not accepted'
sys.exit(1)
else:
print "Making dir: %s" % sharepath
child.sendline("mkdir %s" % sharepath)
i = child.expect([pexpect.TIMEOUT, COMMAND_PROMPT] ,timeout=1)
print "Setting group to 'audio'"
child.sendline("chgrp audio %s" % sharepath)
i = child.expect([pexpect.TIMEOUT, COMMAND_PROMPT] ,timeout=1)
print "setting owner to 'audio01'"
child.sendline("chown audio01 %s" % sharepath)
i = child.expect([pexpect.TIMEOUT, COMMAND_PROMPT] ,timeout=1)
print "Opening permissions"
child.sendline("chmod 777 %s" % sharepath)
i = child.expect([pexpect.TIMEOUT, COMMAND_PROMPT] ,timeout=1)
print "sharing -a %s -s 100" % sharepath
child.sendline("sharing -a %s -s 100" % sharepath)
i = child.expect([pexpect.TIMEOUT, COMMAND_PROMPT] ,timeout=1)
sys.exit(0)

~~~~~~~~~~~test.php
<html>
<body>
<?php

if (isset($_GET['sharename'])) {
$last_line = system("/Users/Shared/test.py {$_GET['sharename']}",
$retval);
if ($retval == 0) {
echo "<br><h2>Mount afp://xxx.xxx.xxx.xxx/{$_GET['sharename']}</h2>";
} else {
echo "<br><h2>Failed creating share!</h2>";
}
} else {

echo "<form action='test.php'>";
echo "<table>";
echo "<td>Name of share:</td><td><input type='text'
name='sharename'></td>";
echo "</table></form>";
}

?>
</body>
</html>
Oct 18 '06 #2

P: n/a
Well, first i don't think it is a good idea to have the python script
tu su to root, but for it to work, i think (Totally unsure about that)
www has to be in group wheel to be able to su.

Maybe sudo can help here.
Oct 18 '06 #3

P: n/a
Sudo is probably the best solution here, since in the file sudo.conf
you could restrict the www user only to the python script that requires
it.

Also, using either sudo or the setuid flag would remove the need of
pexpect since all the commands will be run as the designated user.

for setuid flag:
chmod u+s pythonScript.py
chown root pythonScript.py

for the sudo solution, add an entry to /etc/sudo.conf or /etc/sudoers ,
depending on distro:
the syntax for a line in sudo.conf is:
user hostlist = (userlist) commandlist

so you might want to add:
www localhost = NOPASSWD: /var/www/htdocs/pythonScript.py

note:
Replace the /var/www/htdocs/pythonScript.py with the path to where
your script is
the NOPASSWD: is a flag that tells sudo that no password is
required

Lee Harr wrote:
Well, first i don't think it is a good idea to have the python script
tu su to root, but for it to work, i think (Totally unsure about that)
www has to be in group wheel to be able to su.


Maybe sudo can help here.
Oct 18 '06 #4

P: n/a
Since it wont require pyexpect, and based on the operations you
accomplish with your python script, maybe that a bash script instead of
a python one might be the best tool for the job you're trying to
accomplish.
martdi wrote:
Sudo is probably the best solution here, since in the file sudo.conf
you could restrict the www user only to the python script that requires
it.

Also, using either sudo or the setuid flag would remove the need of
pexpect since all the commands will be run as the designated user.

for setuid flag:
chmod u+s pythonScript.py
chown root pythonScript.py

for the sudo solution, add an entry to /etc/sudo.conf or /etc/sudoers ,
depending on distro:
the syntax for a line in sudo.conf is:
user hostlist = (userlist) commandlist

so you might want to add:
www localhost = NOPASSWD: /var/www/htdocs/pythonScript.py

note:
Replace the /var/www/htdocs/pythonScript.py with the path to where
your script is
the NOPASSWD: is a flag that tells sudo that no password is
required

Lee Harr wrote:
Well, first i don't think it is a good idea to have the python script
tu su to root, but for it to work, i think (Totally unsure about that)
www has to be in group wheel to be able to su.

Maybe sudo can help here.
Oct 18 '06 #5

P: n/a
Thank you both for your help. I don't know why I didn't think of that
before. I had the expect mindset, and was determined to get it working
that way.

I added an entry for sudo for the script and it works without a hitch.
I'm still curious to know what was going on to disallow the
authentication in pexpect. I had added 'www' to user 'admin', and
could su to root from the command line, so I don't think that was it.
Maybe it was a timing error, ie pexpect fired off the password too soon
or too late, or something in the apache environment that just
disallowed becoming root for security reasons.

Problem solved.

~Sean

martdi wrote:
Since it wont require pyexpect, and based on the operations you
accomplish with your python script, maybe that a bash script instead of
a python one might be the best tool for the job you're trying to
accomplish.
martdi wrote:
Sudo is probably the best solution here, since in the file sudo.conf
you could restrict the www user only to the python script that requires
it.

Also, using either sudo or the setuid flag would remove the need of
pexpect since all the commands will be run as the designated user.

for setuid flag:
chmod u+s pythonScript.py
chown root pythonScript.py

for the sudo solution, add an entry to /etc/sudo.conf or /etc/sudoers ,
depending on distro:
the syntax for a line in sudo.conf is:
user hostlist = (userlist) commandlist

so you might want to add:
www localhost = NOPASSWD: /var/www/htdocs/pythonScript.py

note:
Replace the /var/www/htdocs/pythonScript.py with the path to where
your script is
the NOPASSWD: is a flag that tells sudo that no password is
required

Lee Harr wrote:
Well, first i don't think it is a good idea to have the python script
tu su to root, but for it to work, i think (Totally unsure about that)
www has to be in group wheel to be able to su.
>
>
Maybe sudo can help here.
Oct 19 '06 #6

This discussion thread is closed

Replies have been disabled for this discussion.