On Feb 1, 9:46 am, Alessandro Dentella <[EMAIL PROTECTED]> wrote: > On Thu, Jan 31, 2008 at 02:30:02PM -0800, Graham Dumpleton wrote: > > > On Feb 1, 4:27 am, sandro dentella <[EMAIL PROTECTED]> wrote: > > > Hi, > > > > i'd like to make an application that should execute commands with > > > permission that are not normally for www-data (eg: create user). Of > > > course > > > I know I could use sudo and execute the command via subprocess or > > > similar. But it happens that the command is a python script so i'd > > > prefer > > > to use the python library directly. > > > > Is there any reccomanded way/ a sudo-module or similar? > > > You could use daemon mode of mod_wsgi instead and configure it to have > > your whole application run as the target user rather than Apache, then > > you don't have to worry about it at all. FASTCGI solutions also > > generally allow the application to run as a different user to Apache > > as well. > > mm... sudo is a much more fine grained way of granting permission. I don't > really like do give all power to a web application. > > What I would have liked was a sort of sudo module, so execute certain > *configured* funcions with more power.
Using mod_wsgi daemon mode you can actually run up multiple process groups running as different users. Each would run the Django application, but you can then configure specific URLs to be delegated to the different process groups. Thus you can control user rights down to the level of URL. If you want, you can still use embedded mode (ie., like mod_python) to run the bulk of your code and use the daemon process just for the restricted URL set. For example: Alias /media/ /usr/local/django/mysite/media/ <Directory /usr/local/django/mysite/media> Order deny,allow Allow from all </Directory> WSGIScriptAlias / /usr/local/django/mysite/apache/django.wsgi <Directory /usr/local/django/mysite/apache> Order deny,allow Allow from all </Directory> WSGIDaemonProcess django-admin \ user=django-admin group=django-admin \ processes=1 threads=5 <Location /admin> WSGIProcessGroup django-admin </Loation> In this scenario, all URLs of the Django application except stuff under '/admin' would continue to run in the Apache child processes just like when using mod_python. The user that that code runs as would be whatever Apache is configured to run as. For URLs under '/admin', they would be proxied through to a distinct daemon process running as the distinct user 'django-admin'. Thus, using the Location directive, you can selective indicate which URLs execute code which needs to run as the user 'django-admin'. No changes are required to the Django application for this to work, mod_wsgi automatically handles all the differences between running in embedded mode and daemon mode for you. Graham --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---