Hi. Having a web app with superuser privileges (even if indirectly) doesn't sound like the best idea. Especially if you are feeding user input to os.system running with root. That's a disaster waiting to happen.
I would suggest going a different way. Rather than elevating web app permissions, reduce the needed power to the specific file. That is, grant www-data (or even better, make a dedicated system account for the app) modify permissions for the specific file you need to write to. This way you are not inadvertently opening door to unlimited damage a bug in your code and/or malicious user using you app could do. Joonas On Fri, Apr 30, 2021, 23:07 Edwin Rueda <[email protected]> wrote: > Thanks Carl, > > After a bit of searching and scratching my head, I discovered that when I > run the command *os.system("message to save"),* it asks for superuser > permissions for the user "*www-data*". So what I did was to give > permissions to that user. > > I opened the file /*etc/sudoers.d/90-cloud-init-users* with the following > command: > > sudo visudo -f > /etc/sudoers.d/90-cloud-init-users > > by default, the file contains the user "ubuntu" with its privileges. Then, > I wrote the following line and saved the file, and restarted the server: > > www-data ALL=(ALL) NOPASSWD:ALL > > thanks for your help! > > > El vie, 30 de abr. de 2021 a la(s) 12:15, Carl Nobile ( > [email protected]) escribió: > >> This is not something that modwsgi is responsible for. >> However, you could try to use the same tricks that are done when a daemon >> is created to run as root. >> I made some major updates to this code >> https://github.com/cnobile2012/python-daemon/blob/master/daemonize/daemon.py >> You will have to put some thought into how you do this, it will NOT be an >> exact copy of my code, but the basic ideas are there. >> Good luck >> >> ~Carl >> >> >> On Fri, Apr 30, 2021 at 12:58 PM Edwin Rueda <[email protected]> >> wrote: >> >>> If I use the following python command to save the file: >>> >>> - os.system('sudo -S echo "test text" | sudo tee /etc/issue.net') >>> >>> I get the following error in the apache log: >>> >>> sudo: a terminal is required to read the password; either use the -S >>> option to read from standard input or configure an askpass helper >>> [sudo] password for www-data: >>> sudo: no password was provided >>> >>> Thanks! >>> >>> El vie, 30 de abr. de 2021 a la(s) 11:30, Edwin Rueda ( >>> [email protected]) escribió: >>> >>>> Hi Graham and everyone, >>>> >>>> I have a problem with a current task I'm doing in AWS. I'm creating a >>>> web interface to set permissions and change the ssh welcome message. The >>>> problem is that when saving the welcome message, I have to modify the /etc/ >>>> issue.net file with the following python line: >>>> >>>> open("/etc/issue.net").write("test text") >>>> >>>> the problem is that the server won't let me save because I don't have >>>> superuser permissions. >>>> >>>> the alert that appears in the apache log is as follows: >>>> - sudo: a terminal is required to read the password; either use >>>> the -S option to read from standard input or configure an askpass helper >>>> >>>> note that in AWS, by default there is no superuser key >>>> >>>> Finally, this is my .conf file: >>>> >>>> WSGIDaemonProcess flaskproject threads=5 >>>> WSGIScriptAlias / /var/www/html/flaskproject/app.wsgi >>>> >>>> <Directory flaskproject> >>>> WSGIProcessGroup flaskproject >>>> WSGIApplicationGroup %{GLOBAL} >>>> Order deny,allow >>>> Allow from all >>>> </Directory> >>>> >>>> can you help me ? >>>> >>>> Thabks!!!! >>>> -- >>>> *Edwin J. Rueda* >>>> Maestrando en Ciencias de la Computación >>>> Universidade Federal do Pará, Brasil >>>> Ingeniero de Sistemas >>>> Universidad Industrial de Santander, Colombia >>>> >>> >>> >>> -- >>> *Edwin J. Rueda* >>> Maestrando en Ciencias de la Computación >>> Universidade Federal do Pará, Brasil >>> Ingeniero de Sistemas >>> Universidad Industrial de Santander, Colombia >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "modwsgi" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/modwsgi/CAJ83xwrY9py2qpHBov%2B-bXAFtE1-pvsBpRK96YXvML_KmTq3sQ%40mail.gmail.com >>> <https://groups.google.com/d/msgid/modwsgi/CAJ83xwrY9py2qpHBov%2B-bXAFtE1-pvsBpRK96YXvML_KmTq3sQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> >> >> -- >> >> ------------------------------------------------------------------------------- >> Carl J. Nobile (Software Engineer) >> [email protected] >> >> ------------------------------------------------------------------------------- >> >> -- >> You received this message because you are subscribed to the Google Groups >> "modwsgi" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/modwsgi/CAGQqDQJipNBUrno%2BcvX95kuFB8dOZweh1r6iYRwOON5YoSO0Cw%40mail.gmail.com >> <https://groups.google.com/d/msgid/modwsgi/CAGQqDQJipNBUrno%2BcvX95kuFB8dOZweh1r6iYRwOON5YoSO0Cw%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > > > -- > *Edwin J. Rueda* > Maestrando en Ciencias de la Computación > Universidade Federal do Pará, Brasil > Ingeniero de Sistemas > Universidad Industrial de Santander, Colombia > > -- > You received this message because you are subscribed to the Google Groups > "modwsgi" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/modwsgi/CAJ83xwoGMOF5Pk7E2xCJRzfi-K-ng35ezGxudZvQjGAOfMkoOw%40mail.gmail.com > <https://groups.google.com/d/msgid/modwsgi/CAJ83xwoGMOF5Pk7E2xCJRzfi-K-ng35ezGxudZvQjGAOfMkoOw%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "modwsgi" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/modwsgi/CAPnmswhZDBSCWhfK7Xq0woTgcjmFfDwU8pQ0wV46LrdPZ-BaBg%40mail.gmail.com.
