How to run python script which require root privilage for execution in apache with mod_python at openbsd

StackOverflow https://stackoverflow.com/questions/15896367

Question

I am trying to run python script in Apache 2.x with mod_python. I edited httpd.conf with publisher

    LoadModule python_module /usr/local/apache2/modules/mod_python.so
 <Directory /usr/local/apache2/htdocs/mod_python>

SetHandler mod_python
PythonHandler mod_python.publisher
PythonDebug On

I am trying to add a rule in firewall using python script which require root privilege. it's asking for root privilege ? Please somebody help.

    #!/usr/local/bin/python
    #from mod_python import apache
    import sys
    import errno
    import pf

    def index(req):
         filter = pf.PacketFilter()

         try:
              # Enable packet filtering
              filter.enable()
              print  "pf is enabled"
              return "pf is enabled"
         except IOError, (err, msg):
                if err == errno.EACCES:
                      #sys.exit("Permission denied: are you root?")
                       return ("Permission denied: are you root?")
                elif err == errno.ENOTTY:
                        #sys.exit("ioctl not supported by the device: is the pf device correct?")
                        return ("ioctl not supported by the device: is the pf device correct?")

this is python script which i want to execute though apache at openBSD. it uses mod_python.

Was it helpful?

Solution

Please post your python script somewhere and give us the link. How is your python script trying to communicate with pf? through pfctl? lets say you are tryng to add an IP to a table

pfctl -t thetable -T add x.x.x.x

Find out which user runs apache 

ps aux | grep apache

Then you must edit /etc/sudoers to have that user be able to run the pfctl command without a password. So lets say that you run apache as www. place the following in sudoers :

www ALL=(ALL:ALL) NOPASSWD: /sbin/pfctl

Finally in the python script (lets say you call the external command with subprocess)

from subprocess import call
call(["sudo","pfctl","-T","theTable","-t","add", "x.x.x.x"])

But please keep in mind that the whole scheme is really a bad idea and you shouldn't do it that way. get rid of the python script if you can and run the bundled apache 1.3 which is privseped and audited. Run the webserver in a chroot. Never expose the control of your firewall to user input specially when this comes over the web. I am sure that if you elaborate on what you want to do , we could find a much more efficient and secure setup.

OTHER TIPS

You cannot run Python scripts under mod_python as the root user. This is because Apache will always drop privileges to an untrusted user. The only way to get around it would be to recompile Apache from source code and define a magic preprocessor macro which enables the security hole which allows Apache worker processes to run as root.

In summary, don't do it, it is dangerous.

Also be aware the mod_python is no longer maintained or developed and it is questionable as to whether you should use it in the first place.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top