Re: How do I add users using Python scripts on a Linux machine
In message [EMAIL PROTECTED], Piet van Oostrum wrote: Lawrence D'Oliveiro [EMAIL PROTECTED] (LD) wrote: In message [EMAIL PROTECTED], Piet van Oostrum wrote: The scenario is as follows: Suppose the script starts with the line: #!/usr/bin/python (using #!/usr/bin/env python would be disastrous because the user could supply his own `python interpreter' in his PATH.) Now a malicious user can make a link to this file in his own directory, e.g. to /Users/eve/myscript1. Because permissions are part of the file (inode), not of the file name, this one is also suid. Now she execs /Users/eve/myscript1. The kernel, when honoring suid scripts, would startup python with effective uid root with the command line: /usr/bin/env /Users/eve/myscript1 LD No it wouldn't. This security hole was fixed years ago. How? Systems which allow set-uid scripts also usually support referring to open file descriptors n via a pathname like /dev/fd/n. This might be done by mounting a special pseudo-filesystem (fdfs) on /dev/fd. (This was how I remember it being done on DEC UNIX.) So when a the kernel detects that an executable file is actually a script, it opens the script file on some file descriptor n, and passes the name /dev/fd/n to the script interpreter, instead of the original script pathname. That way, there is no opportunity for deceiving the process into executing the wrong script with set-uid privileges. -- http://mail.python.org/mailman/listinfo/python-list
Re: How do I add users using Python scripts on a Linux machine
Lawrence D'Oliveiro [EMAIL PROTECTED] (LD) wrote: LD No it wouldn't. This security hole was fixed years ago. How? -- Piet van Oostrum [EMAIL PROTECTED] URL: http://www.cs.uu.nl/~piet [PGP 8DAE142BE17999C4] Private email: [EMAIL PROTECTED] -- http://mail.python.org/mailman/listinfo/python-list
Re: How do I add users using Python scripts on a Linux machine
Sebastian 'lunar' Wiesner [EMAIL PROTECTED] (SW) wrote: SW I don't see a problem with SUID on scripts. If you restrict write access SW to the owner, modification is hardly possible. SW However, if you allow world-wide write access to your binaries and SW scripts, both can easily be modified... The scenario is as follows: Suppose the script starts with the line: #!/usr/bin/python (using #!/usr/bin/env python would be disastrous because the user could supply his own `python interpreter' in his PATH.) Now a malicious user can make a link to this file in his own directory, e.g. to /Users/eve/myscript1. Because permissions are part of the file (inode), not of the file name, this one is also suid. Now she execs /Users/eve/myscript1. The kernel, when honoring suid scripts, would startup python with effective uid root with the command line: /usr/bin/env /Users/eve/myscript1 Now in another process eve changes the link /Users/eve/myscript1 to point to another script /Users/eve/myscript2. If she manages to change the link between the startup of the python executable and the interpreter opening the file /Users/eve/myscript1, she has her own script running as root. Of course the timing is a bit critical but if you try often enough some time it will succeed. The problem is the time window between starting the executable and opening the script. There is no guarantee that the file will be the same. It can only be made safe if interpreters can be passed inodes or opened files by the kernel, but that is not how most interpreters work. At least not python. -- Piet van Oostrum [EMAIL PROTECTED] URL: http://www.cs.uu.nl/~piet [PGP 8DAE142BE17999C4] Private email: [EMAIL PROTECTED] -- http://mail.python.org/mailman/listinfo/python-list
Re: How do I add users using Python scripts on a Linux machine
In message [EMAIL PROTECTED], Piet van Oostrum wrote: The scenario is as follows: Suppose the script starts with the line: #!/usr/bin/python (using #!/usr/bin/env python would be disastrous because the user could supply his own `python interpreter' in his PATH.) Now a malicious user can make a link to this file in his own directory, e.g. to /Users/eve/myscript1. Because permissions are part of the file (inode), not of the file name, this one is also suid. Now she execs /Users/eve/myscript1. The kernel, when honoring suid scripts, would startup python with effective uid root with the command line: /usr/bin/env /Users/eve/myscript1 No it wouldn't. This security hole was fixed years ago. -- http://mail.python.org/mailman/listinfo/python-list
Re: How do I add users using Python scripts on a Linux machine
Ramdas [EMAIL PROTECTED] wrote: I need to add users from a web interface for a web server, which runs only Python. I need to add users, set quotas and in future even look at managing ip tables to limit bandwidth. I know os.system(), but this has to be done through a form entry through a web interface. Anyways thanks, do advise if there more pythonic solutions os.system is perfectly Pythonic, and can be executed from a CGI script. The challenge is becoming root, which is necessary to do what you ask. You can write a simple C program that is setuid root that calls your script for you. -- Tim Roberts, [EMAIL PROTECTED] Providenza Boekelheide, Inc. -- http://mail.python.org/mailman/listinfo/python-list
Re: How do I add users using Python scripts on a Linux machine
Piet van Oostrum [EMAIL PROTECTED] typed Sebastian 'lunar' Wiesner [EMAIL PROTECTED] (SW) wrote: SW Linux seems to ignore SUID bit on scripts: The reason is that obeying SUID bits on scripts would be a security risk. I don't see a problem with SUID on scripts. If you restrict write access to the owner, modification is hardly possible. However, if you allow world-wide write access to your binaries and scripts, both can easily be modified... -- Freedom is always the freedom of dissenters. (Rosa Luxemburg) -- http://mail.python.org/mailman/listinfo/python-list
Re: How do I add users using Python scripts on a Linux machine
Sebastian 'lunar' Wiesner wrote: Carsten Haese [EMAIL PROTECTED] typed I don't think that that has anything to do with Linux or not. The script is not the actual executable, hence its suid bit is irrelevant. I don't think so. From what I know, the script is passed as executable to the kernel loader, which interprets the shebang and feeds the script through the correct interpreter. So the kernel loader sees the script itself as executable instead of the interpreter binary. I've heard of other Unix systems, which handle this differently (meaning that the SUID bit on scripts has an effect), but I may be wrong. Yes, the kernel parses #! but the suid-ness is still controlled by the target interpreter (i.e. python executable). At least BSD systems also behave this way. -- http://mail.python.org/mailman/listinfo/python-list
Re: How do I add users using Python scripts on a Linux machine
[ Ivan Voras [EMAIL PROTECTED] ] Sebastian 'lunar' Wiesner wrote: Carsten Haese [EMAIL PROTECTED] typed I don't think that that has anything to do with Linux or not. The script is not the actual executable, hence its suid bit is irrelevant. I don't think so. From what I know, the script is passed as executable to the kernel loader, which interprets the shebang and feeds the script through the correct interpreter. So the kernel loader sees the script itself as executable instead of the interpreter binary. I've heard of other Unix systems, which handle this differently (meaning that the SUID bit on scripts has an effect), but I may be wrong. Yes, the kernel parses #! but the suid-ness is still controlled by the target interpreter (i.e. python executable). At least BSD systems also behave this way. I don't think, that the interpreter controls SUID-ness. Privileges are always handled by the kernel. At least the kernel needs to agree, when a normal user wants to execute a SUID scripts. -- Freedom is always the freedom of dissenters. (Rosa Luxemburg) -- http://mail.python.org/mailman/listinfo/python-list
Re: How do I add users using Python scripts on a Linux machine
I find that I can often live with a 0-60 sec. pause. and set command in a queue like then have a cron that runs once a min as the user you need to run this on that looks at the queue and sees if there are any pending I often use a sql database for this -- http://mail.python.org/mailman/listinfo/python-list
Re: How do I add users using Python scripts on a Linux machine
Ramdas wrote: Well, I need to add users from a web interface for a web server, which runs only Python. I need to add users, set quotas and in future even look at managing ip tables to limit bandwidth. I know os.system(), but this has to be done through a form entry through a web interface. Anyways thanks, do advise if there more pythonic solutions What you're looking for is actually a pretty complex thing. You *could* in theory manage /etc/passwd (and its shadow file) - you can find crypto primitives like MD5 and DES on the 'net, but note that you must run your script under the 'root' account in order to write (and even read!) the passwd database. The same goes for using os.system and the built-in OS utility. Be aware of security implications if you're running your web server under the root account. -- http://mail.python.org/mailman/listinfo/python-list
Re: How do I add users using Python scripts on a Linux machine
Ivan Voras wrote: Ramdas wrote: Well, I need to add users from a web interface for a web server, which runs only Python. I need to add users, set quotas and in future even look at managing ip tables to limit bandwidth. I know os.system(), but this has to be done through a form entry through a web interface. Anyways thanks, do advise if there more pythonic solutions What you're looking for is actually a pretty complex thing. You *could* in theory manage /etc/passwd (and its shadow file) - you can find crypto primitives like MD5 and DES on the 'net, but note that you must run your script under the 'root' account in order to write (and even read!) the passwd database. The same goes for using os.system and the built-in OS utility. Be aware of security implications if you're running your web server under the root account. How about invoking scripts with SUID root set? -- http://mail.python.org/mailman/listinfo/python-list
Re: How do I add users using Python scripts on a Linux machine
Ivan Voras wrote: Ramdas wrote: Well, I need to add users from a web interface for a web server, which runs only Python. I need to add users, set quotas and in future even look at managing ip tables to limit bandwidth. I know os.system(), but this has to be done through a form entry through a web interface. Anyways thanks, do advise if there more pythonic solutions What you're looking for is actually a pretty complex thing. You *could* in theory manage /etc/passwd (and its shadow file) - you can find crypto primitives like MD5 and DES on the 'net, but note that you must run your script under the 'root' account in order to write (and even read!) the passwd database. The same goes for using os.system and the built-in OS utility. Be aware of security implications if you're running your web server under the root account. A solution that is both more pythonic and avoids the problems listed above would be to migrate user management from /etc/passwd to an LDAP (though pam_ldap). That's the approach I took in a similar situation. Sure, it adds the overhead of setting up and running an LDAP, but managing users and their quota through python_ldap is much cleaner and more flexible than doing so using os.system(), certainly from within a web application. That doesn't alter the fact though that security must be properly considered in any application that can add users. Regards, Jan -- http://mail.python.org/mailman/listinfo/python-list
Re: How do I add users using Python scripts on a Linux machine
Ravi Teja [EMAIL PROTECTED] typed
Ivan Voras wrote:
Ramdas wrote:
Well,
I need to add users from a web interface for a web server, which
runs only Python. I need to add users, set quotas and in future
even look at managing ip tables to limit bandwidth.
I know os.system(), but this has to be done through a form entry
through a web interface.
Anyways thanks, do advise if there more pythonic solutions
What you're looking for is actually a pretty complex thing. You
*could* in theory manage /etc/passwd (and its shadow file) - you
can find crypto primitives like MD5 and DES on the 'net, but note
that you must run your script under the 'root' account in order to
write (and even read!) the passwd database. The same goes for using
os.system and the built-in OS utility. Be aware of security
implications if you're running your web server under the root
account.
How about invoking scripts with SUID root set?
Linux seems to ignore SUID bit on scripts:
[EMAIL PROTECTED]:03:23] ~/test
-- cat uidtest.py
#!/usr/bin/python
import os
print 'uid:', os.getuid()
print 'effective uid:', os.geteuid()
os.system('whoami')
[EMAIL PROTECTED]:03:28] ~/test
-- ls -l uidtest.py
-rwsr-xr-x 1 root root 112 2007-01-02 17:03 uidtest.py
[EMAIL PROTECTED]:03:46] ~/test
-- /home/lunar/test/uidtest.py
uid: 1000
effective uid: 1000
lunar
Anyway, you should definitely think about security issues. Not all
people out there are friendly...
--
Freedom is always the freedom of dissenters.
(Rosa Luxemburg)
--
http://mail.python.org/mailman/listinfo/python-list
Re: How do I add users using Python scripts on a Linux machine
On Tue, 2007-01-02 at 17:17 +0100, Sebastian 'lunar' Wiesner wrote: Ravi Teja [EMAIL PROTECTED] typed Ivan Voras wrote: Ramdas wrote: Well, I need to add users from a web interface for a web server, which runs only Python. I need to add users, set quotas and in future even look at managing ip tables to limit bandwidth. I know os.system(), but this has to be done through a form entry through a web interface. Anyways thanks, do advise if there more pythonic solutions What you're looking for is actually a pretty complex thing. You *could* in theory manage /etc/passwd (and its shadow file) - you can find crypto primitives like MD5 and DES on the 'net, but note that you must run your script under the 'root' account in order to write (and even read!) the passwd database. The same goes for using os.system and the built-in OS utility. Be aware of security implications if you're running your web server under the root account. How about invoking scripts with SUID root set? Linux seems to ignore SUID bit on scripts: I don't think that that has anything to do with Linux or not. The script is not the actual executable, hence its suid bit is irrelevant. You'd have to set the suid bit on the python executable, but that would affect all python scripts, which is probably bad. -Carsten -- http://mail.python.org/mailman/listinfo/python-list
Re: How do I add users using Python scripts on a Linux machine
Carsten Haese [EMAIL PROTECTED] typed On Tue, 2007-01-02 at 17:17 +0100, Sebastian 'lunar' Wiesner wrote: Ravi Teja [EMAIL PROTECTED] typed Ivan Voras wrote: Ramdas wrote: Well, I need to add users from a web interface for a web server, which runs only Python. I need to add users, set quotas and in future even look at managing ip tables to limit bandwidth. I know os.system(), but this has to be done through a form entry through a web interface. Anyways thanks, do advise if there more pythonic solutions What you're looking for is actually a pretty complex thing. You *could* in theory manage /etc/passwd (and its shadow file) - you can find crypto primitives like MD5 and DES on the 'net, but note that you must run your script under the 'root' account in order to write (and even read!) the passwd database. The same goes for using os.system and the built-in OS utility. Be aware of security implications if you're running your web server under the root account. How about invoking scripts with SUID root set? Linux seems to ignore SUID bit on scripts: I don't think that that has anything to do with Linux or not. The script is not the actual executable, hence its suid bit is irrelevant. I don't think so. From what I know, the script is passed as executable to the kernel loader, which interprets the shebang and feeds the script through the correct interpreter. So the kernel loader sees the script itself as executable instead of the interpreter binary. I've heard of other Unix systems, which handle this differently (meaning that the SUID bit on scripts has an effect), but I may be wrong. You'd have to set the suid bit on the python executable, but that would affect all python scripts, which is probably bad. It _is_ bad! -- Freedom is always the freedom of dissenters. (Rosa Luxemburg) -- http://mail.python.org/mailman/listinfo/python-list
Re: How do I add users using Python scripts on a Linux machine
How about invoking scripts with SUID root set? Linux seems to ignore SUID bit on scripts: Yes. My bad. The work around was to use native launchers. I don't remember the details. Perhaps with the interpreter embedded to launch it in-process and to hard code the script paths (or at least a config file/script pointing to them) for security. Anyway, you should definitely think about security issues. Not all people out there are friendly... I agree. SUID is often risky. Web applications such as webmin that do administrative functions through a web interface require extra precautions for security such as restricting access to specific IPs. -- http://mail.python.org/mailman/listinfo/python-list
Re: How do I add users using Python scripts on a Linux machine
Sebastian 'lunar' Wiesner [EMAIL PROTECTED] (SW) wrote: SW Linux seems to ignore SUID bit on scripts: The reason is that obeying SUID bits on scripts would be a security risk. -- Piet van Oostrum [EMAIL PROTECTED] URL: http://www.cs.uu.nl/~piet [PGP 8DAE142BE17999C4] Private email: [EMAIL PROTECTED] -- http://mail.python.org/mailman/listinfo/python-list
Re: How do I add users using Python scripts on a Linux machine
On 1 Jan 2007 11:33:42 -0800, Ramdas [EMAIL PROTECTED] wrote: How do I add users using Python scripts on a Linux machine? Someone has a script? This should be as easy as something like: os.system(/usr/sbin/useradd -m -d /home/newuser -s /bin/ksh) Dan -- http://mail.python.org/mailman/listinfo/python-list
Re: How do I add users using Python scripts on a Linux machine
That is shell scripting with a python layer on top. Is there a specific reason you have to use python? Why not just use shell, that's what it's designed for? Unless you have some complex maths/networking requirement or something on top. -h On 01/01/07, Daniel Klein [EMAIL PROTECTED] wrote: On 1 Jan 2007 11:33:42 -0800, Ramdas [EMAIL PROTECTED] wrote: How do I add users using Python scripts on a Linux machine? Someone has a script? This should be as easy as something like: os.system(/usr/sbin/useradd -m -d /home/newuser -s /bin/ksh) Dan -- http://mail.python.org/mailman/listinfo/python-list -- Hari Sekhon -- http://mail.python.org/mailman/listinfo/python-list
Re: How do I add users using Python scripts on a Linux machine
Well, I need to add users from a web interface for a web server, which runs only Python. I need to add users, set quotas and in future even look at managing ip tables to limit bandwidth. I know os.system(), but this has to be done through a form entry through a web interface. Anyways thanks, do advise if there more pythonic solutions Ramdas Hari Sekhon wrote: That is shell scripting with a python layer on top. Is there a specific reason you have to use python? Why not just use shell, that's what it's designed for? Unless you have some complex maths/networking requirement or something on top. -h On 01/01/07, Daniel Klein [EMAIL PROTECTED] wrote: On 1 Jan 2007 11:33:42 -0800, Ramdas [EMAIL PROTECTED] wrote: How do I add users using Python scripts on a Linux machine? Someone has a script? This should be as easy as something like: os.system(/usr/sbin/useradd -m -d /home/newuser -s /bin/ksh) Dan -- http://mail.python.org/mailman/listinfo/python-list -- Hari Sekhon -- http://mail.python.org/mailman/listinfo/python-list
