On Feb 1, 9:46 am, Alessandro Dentella <[EMAIL PROTECTED]> wrote:
> On Thu, Jan 31, 2008 at 02:30:02PM -0800, Graham Dumpleton wrote:
>
> > On Feb 1, 4:27 am, sandro dentella <[EMAIL PROTECTED]> wrote:
> > > Hi,
>
> > > i'd like to make an application that should execute commands with
> > > permission that are not normally for www-data (eg: create user). Of
> > > course
> > > I know I could use sudo and execute the command via subprocess or
> > > similar. But it happens that the command is a python script so i'd
> > > prefer
> > > to use the python library directly.
>
> > > Is there any reccomanded way/ a sudo-module or similar?
>
> > You could use daemon mode of mod_wsgi instead and configure it to have
> > your whole application run as the target user rather than Apache, then
> > you don't have to worry about it at all. FASTCGI solutions also
> > generally allow the application to run as a different user to Apache
> > as well.
>
> mm... sudo is a much more fine grained way of granting permission. I don't
> really like do give all power to a web application.
>
> What I would have liked was a sort of sudo module, so execute certain
> *configured* funcions with more power.
Using mod_wsgi daemon mode you can actually run up multiple process
groups running as different users. Each would run the Django
application, but you can then configure specific URLs to be delegated
to the different process groups. Thus you can control user rights down
to the level of URL. If you want, you can still use embedded mode
(ie., like mod_python) to run the bulk of your code and use the daemon
process just for the restricted URL set. For example:
Alias /media/ /usr/local/django/mysite/media/
<Directory /usr/local/django/mysite/media>
Order deny,allow
Allow from all
</Directory>
WSGIScriptAlias / /usr/local/django/mysite/apache/django.wsgi
<Directory /usr/local/django/mysite/apache>
Order deny,allow
Allow from all
</Directory>
WSGIDaemonProcess django-admin \
user=django-admin group=django-admin \
processes=1 threads=5
<Location /admin>
WSGIProcessGroup django-admin
</Loation>
In this scenario, all URLs of the Django application except stuff
under '/admin' would continue to run in the Apache child processes
just like when using mod_python. The user that that code runs as would
be whatever Apache is configured to run as.
For URLs under '/admin', they would be proxied through to a distinct
daemon process running as the distinct user 'django-admin'.
Thus, using the Location directive, you can selective indicate which
URLs execute code which needs to run as the user 'django-admin'.
No changes are required to the Django application for this to work,
mod_wsgi automatically handles all the differences between running in
embedded mode and daemon mode for you.
Graham
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en
-~----------~----~----~----~------~----~------~--~---
