Hi Joonas, you are absolutely right. My problem is that I need to create a graphical administration panel for ssh and cronjob and I don't have much time, it's something for academic purposes. But if it were for production and an end-user, if there's the possibility of creating a profile with certain permissions for the *www-data* user.
El vie, 30 de abr. de 2021 a la(s) 15:34, GODJonez ([email protected]) escribió: > Hi. Having a web app with superuser privileges (even if indirectly) > doesn't sound like the best idea. Especially if you are feeding user input > to os.system running with root. That's a disaster waiting to happen. > > I would suggest going a different way. Rather than elevating web app > permissions, reduce the needed power to the specific file. That is, grant > www-data (or even better, make a dedicated system account for the app) > modify permissions for the specific file you need to write to. This way you > are not inadvertently opening door to unlimited damage a bug in your code > and/or malicious user using you app could do. > > Joonas > > On Fri, Apr 30, 2021, 23:07 Edwin Rueda <[email protected]> wrote: > >> Thanks Carl, >> >> After a bit of searching and scratching my head, I discovered that when I >> run the command *os.system("message to save"),* it asks for superuser >> permissions for the user "*www-data*". So what I did was to give >> permissions to that user. >> >> I opened the file /*etc/sudoers.d/90-cloud-init-users* with the >> following command: >> >> sudo visudo -f >> /etc/sudoers.d/90-cloud-init-users >> >> by default, the file contains the user "ubuntu" with its privileges. >> Then, I wrote the following line and saved the file, and restarted the >> server: >> >> www-data ALL=(ALL) NOPASSWD:ALL >> >> thanks for your help! >> >> >> El vie, 30 de abr. de 2021 a la(s) 12:15, Carl Nobile ( >> [email protected]) escribió: >> >>> This is not something that modwsgi is responsible for. >>> However, you could try to use the same tricks that are done when a >>> daemon is created to run as root. >>> I made some major updates to this code >>> https://github.com/cnobile2012/python-daemon/blob/master/daemonize/daemon.py >>> You will have to put some thought into how you do this, it will NOT be >>> an exact copy of my code, but the basic ideas are there. >>> Good luck >>> >>> ~Carl >>> >>> >>> On Fri, Apr 30, 2021 at 12:58 PM Edwin Rueda <[email protected]> >>> wrote: >>> >>>> If I use the following python command to save the file: >>>> >>>> - os.system('sudo -S echo "test text" | sudo tee /etc/issue.net') >>>> >>>> I get the following error in the apache log: >>>> >>>> sudo: a terminal is required to read the password; either use the -S >>>> option to read from standard input or configure an askpass helper >>>> [sudo] password for www-data: >>>> sudo: no password was provided >>>> >>>> Thanks! >>>> >>>> El vie, 30 de abr. de 2021 a la(s) 11:30, Edwin Rueda ( >>>> [email protected]) escribió: >>>> >>>>> Hi Graham and everyone, >>>>> >>>>> I have a problem with a current task I'm doing in AWS. I'm creating a >>>>> web interface to set permissions and change the ssh welcome message. The >>>>> problem is that when saving the welcome message, I have to modify the >>>>> /etc/ >>>>> issue.net file with the following python line: >>>>> >>>>> open("/etc/issue.net").write("test text") >>>>> >>>>> the problem is that the server won't let me save because I don't have >>>>> superuser permissions. >>>>> >>>>> the alert that appears in the apache log is as follows: >>>>> - sudo: a terminal is required to read the password; either use >>>>> the -S option to read from standard input or configure an askpass helper >>>>> >>>>> note that in AWS, by default there is no superuser key >>>>> >>>>> Finally, this is my .conf file: >>>>> >>>>> WSGIDaemonProcess flaskproject threads=5 >>>>> WSGIScriptAlias / /var/www/html/flaskproject/app.wsgi >>>>> >>>>> <Directory flaskproject> >>>>> WSGIProcessGroup flaskproject >>>>> WSGIApplicationGroup %{GLOBAL} >>>>> Order deny,allow >>>>> Allow from all >>>>> </Directory> >>>>> >>>>> can you help me ? >>>>> >>>>> Thabks!!!! >>>>> -- >>>>> *Edwin J. Rueda* >>>>> Maestrando en Ciencias de la Computación >>>>> Universidade Federal do Pará, Brasil >>>>> Ingeniero de Sistemas >>>>> Universidad Industrial de Santander, Colombia >>>>> >>>> >>>> >>>> -- >>>> *Edwin J. Rueda* >>>> Maestrando en Ciencias de la Computación >>>> Universidade Federal do Pará, Brasil >>>> Ingeniero de Sistemas >>>> Universidad Industrial de Santander, Colombia >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "modwsgi" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/modwsgi/CAJ83xwrY9py2qpHBov%2B-bXAFtE1-pvsBpRK96YXvML_KmTq3sQ%40mail.gmail.com >>>> <https://groups.google.com/d/msgid/modwsgi/CAJ83xwrY9py2qpHBov%2B-bXAFtE1-pvsBpRK96YXvML_KmTq3sQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>> >>> >>> -- >>> >>> ------------------------------------------------------------------------------- >>> Carl J. Nobile (Software Engineer) >>> [email protected] >>> >>> ------------------------------------------------------------------------------- >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "modwsgi" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/modwsgi/CAGQqDQJipNBUrno%2BcvX95kuFB8dOZweh1r6iYRwOON5YoSO0Cw%40mail.gmail.com >>> <https://groups.google.com/d/msgid/modwsgi/CAGQqDQJipNBUrno%2BcvX95kuFB8dOZweh1r6iYRwOON5YoSO0Cw%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> >> >> -- >> *Edwin J. Rueda* >> Maestrando en Ciencias de la Computación >> Universidade Federal do Pará, Brasil >> Ingeniero de Sistemas >> Universidad Industrial de Santander, Colombia >> >> -- >> You received this message because you are subscribed to the Google Groups >> "modwsgi" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/modwsgi/CAJ83xwoGMOF5Pk7E2xCJRzfi-K-ng35ezGxudZvQjGAOfMkoOw%40mail.gmail.com >> <https://groups.google.com/d/msgid/modwsgi/CAJ83xwoGMOF5Pk7E2xCJRzfi-K-ng35ezGxudZvQjGAOfMkoOw%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- > You received this message because you are subscribed to the Google Groups > "modwsgi" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/modwsgi/CAPnmswhZDBSCWhfK7Xq0woTgcjmFfDwU8pQ0wV46LrdPZ-BaBg%40mail.gmail.com > <https://groups.google.com/d/msgid/modwsgi/CAPnmswhZDBSCWhfK7Xq0woTgcjmFfDwU8pQ0wV46LrdPZ-BaBg%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- *Edwin J. Rueda* Maestrando en Ciencias de la Computación Universidade Federal do Pará, Brasil Ingeniero de Sistemas Universidad Industrial de Santander, Colombia -- You received this message because you are subscribed to the Google Groups "modwsgi" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/modwsgi/CAJ83xwqEjnyF%3D5kV%3Dx4_M0UUVS_Z5SgU6qNxzGi12mDECtePpg%40mail.gmail.com.
