i have python script (which must called root), calls bash script (which must called non-root), needs call sudo. not work - "leaf" sudo calls give message "$user not in sudoers file. incident reported." how can make work?
the code (insert non-root username in place of "your_username_here"):
tezt.py:
#!/usr/bin/python3 import os import pwd import subprocess def run_subshell_as_user(cmd_args, user_name=none, **kwargs): cwd = os.getcwd() user_obj = pwd.getpwnam(user_name) # set child process environment new_env = os.environ.copy() new_env["pwd"] = cwd if user_name not none: new_env["home"] = user_obj.pw_dir new_env["logname"] = user_name new_env["user"] = user_name # function run after fork , before exec in child def suid_func(): os.setgid(user_obj.pw_gid) os.setuid(user_obj.pw_uid) return subprocess.popen( cmd_args, preexec_fn=suid_func, cwd=cwd, env=new_env, **kwargs).wait() == 0 run_subshell_as_user(["./tezt"], "your_username_here") # <-- here tezt:
#!/bin/bash sudo ls -la /root then run as:
sudo ./tezt.py does know why doesn't work? user can run sudo under normal circumstances. why "user -sudo-> root -suid-> user" work fine, when try sudo there fails?
i'd suggest using sudo drop privileges rather doing -- that's bit more thorough possible, modifying effective opposed real uid , gid. (to modify full set yourself, might try changing setuid() setreuid(), , likewise setgid() setregid()).
...this mean passing popen akin following:
["sudo", "-u", "your_username_here", "--"] + cmd_args 
Comments
Post a Comment