Florian Lindner wrote: > Serge Orlov wrote: > >> Florian Lindner wrote: >>> Paul Rubin wrote: >>> >>>> - sort of similar: have a separate process running that knows the >>>> password (administrator enters it at startup time). That process >>>> listens on a unix socket and checks the ID of the client. It >>>> reveals the password to authorized clients, i.e. your readable >>>> script running under sudo. This keeps the password from ever >>>> being stored on disk. >>>> >>>> - Modify the script itself to run as a long-running service instead >>>> of as something that gets started and restarted all the time. Have >>>> an admin start it and type the password into it at startup time. >>>> Users then connect to it (maybe with a web browser) and send it >>>> commands. >>>> >>>> - Move the user operations from the script to server side database >>>> procedures that do their own validity checking. Then you don't >>>> need a password. >>> >>> I'll evaluate the 3 ideas above further. >> >> I'm surprised there are no building blocks for a sudo replacement >> in the UNIX world, at least I googled and couldn't find them. >> Basically you need to split you script into two parts: priveledged >> server and user client. They can talk xml-rpc over unix socket. > > Can I find out the identity of the client (PID/UID) when using unix > socket?
Paul Rubin has answered this question. And as far as I know, not all unix OSes support that. But you can do the following: create a security group, add people to that group and create the socket that is owned by the server process and accessible only by the people in that special group. Serge. -- http://mail.python.org/mailman/listinfo/python-list
