this post was submitted on 28 May 2024
21 points (100.0% liked)

Linux

48020 readers
1007 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by AlpΓ‘r-Etele MΓ©der, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 

Hi everyone,

I have a Python program (A) that run under a regular user account. (good)

When some events occur in (A) I need to modify my nftables and only the root is allowed to do so.

I've come up with 3 ways to do that (if you know other please share) but I don't which would be the best.

  1. Make a sudo call from (A) with from subprocess import run but I will need to store the password ! and I don't think is possible to keep it encrypted and decrypted when need it (it's a flaw)
    .
  2. Make (A) writing a file with the requests. Create a (B) daemon (that run as root) that check that file every X and do the necessary
    .
  3. Make (A) do an IPC ( Linux socket ) to (B) daemon (that run as root) and does the necessary.

I suppose that the solution 2 is less heavy that the 3 ? But if I'm not mistaken it will react also slower ?

Thanks.

🐧

top 10 comments
sorted by: hot top controversial new old
[–] [email protected] 8 points 5 months ago

If your command doesn't change (doesn't require dynamic input), sudoers file can make specific command+argument run without password required.

https://www.cyberciti.biz/faq/linux-unix-running-sudo-command-without-a-password/ (ctrl+f search "A better solution")

(You can also use wildcards in sudoers file but with nftables I imagine it's a big security risk)

[–] [email protected] 3 points 5 months ago* (last edited 5 months ago) (1 children)
  1. Is the usual solution, but instead of file use unix socket and user/group permissions as auth - the running user has to be part of some group so that the control client (A) can access the control socket of (B) daemon.

Alternatively you could use capabilities:

https://stackoverflow.com/a/414258

https://man7.org/linux/man-pages/man7/capabilities.7.html

[–] [email protected] 2 points 5 months ago (1 children)

Thank you very much @taaz

So you say 2 but with unix socket so it the same as my proposal number 3 ? no ?

I'll check capabilities

[–] [email protected] 2 points 5 months ago

Yeah kinda, unix socket does count as ipc

[–] [email protected] 1 points 5 months ago (1 children)

You could try pkexec insted of sudo. Pkexec pops up the password prompt in a window insted of prompting in the terminal.

[–] [email protected] 3 points 5 months ago (1 children)

It's a good way of solving it. It's not scriptable though as it requires user-input.

[–] [email protected] 3 points 5 months ago (1 children)

indeed I need it to be scriptable.

[–] baru 1 points 5 months ago

Then implement polkit perhaps? https://polkit.pages.freedesktop.org/polkit/polkit-apps.html

Basically the root using bit is handled via polkit. Three unprivileged bit calls the privileged bit via polkit.

[–] solrize 1 points 5 months ago* (last edited 5 months ago)

Method 2 could use inotify to wake up when the file changes. It wouldn't have to poll. Method 3 could launch from inetd so it wouldn't have to always be running if these events are infrequent.

[–] [email protected] 0 points 5 months ago

Have you looked into the suid bit? You can set it on the file, then change the script owner to root and it runs in elevated mode: https://linuxhandbook.com/suid-sgid-sticky-bit/