I have a project where a user can provide a python script that will be execute on the server to verify if the script is valid according to some criteria. I use the exec function to execute the code but it's vulnerable. User can use the os module in the script.
Is there a way to prevent command injection ? By preventing some modules to be used in exec ? Or another way to execute python code without risking injections ?
Thanks !
Related
I have a SQL Server Agent job that executes some python scripts using CmdExec. Everything is set up with a proxy account as expected.
When I run the job I get:
Message
Executed as user: domain\proxyaccount. 'python' is not recognized as an internal or external command, operable program or batch file. Process Exit Code 1. The step failed.
I'm using Anaconda and Python is in the system PATH variable. When I run python from command line, it works. When I run python cutting and pasting the specific command from the job, it works. When I use runas to mimic the proxy account it works. The only place Python doesn't run is form inside the job.
What else do I need to look at to trouble shoot this issue?
You should restart SQL Server Agent after you installed Python on the server.
It is necessary for SQL Server Agent to load new environment variables, including the updated PATH with Python in it.
There are also suggestions to restart SQL Server too, but I believe restarting SQL Server Agent will be enough.
I am currently writing a program to help me with some database administration. It's supposed to execute commands in MariaDB. I thought since this is a CLI application I can just do that with os.system, but I'm having problems doing so. So lets say I have the following code
import os
os.system('mysql --user=%s --password=%s' %(user, password)
os.system('USE database;')
This code logs me into MariaDB, but it does not execute the second command to choose the database. Is this possible with os.system, and if not, what are my alternatives? Thanks.
Edit: I tried using subprocess instead, which gives me another problem: It immediately exits MariaDB after logging in.
I recomand you to use Subprocess instead of os python module, using Popen
try to check this link out :
Calling an external command in Python
Currently i am working on a project and i am using django-kronos for scheduling so, when user schedule a task i am running a script and end of the script i need to run
python manage.py installtasks
this is help to insert the tasks in crontab.
script is working fine when i execute in terminal but when i integrate it with my django app, it's throwing an error
IOError: Read crontab nobody: You (nobody) are not allowed to use this program (/usr/bin/crontab)
I really curious to know about which cause this problem?
or did i miss anything?
Setting setuid flag on the script (chmod u+s) will make the script run as the script file's owner UID if it's run as a separate process. You then need to watch who is allowed to execute it and/or do some authentication or check of the running user as with anyone else executing it, it'll be the same.
This is pretty much a workaround and is not advisable if some better facility is available in the app.
From what I can see, django-kronos logic is supposed to be run from manage.py rather than web code proper.
I have looked into using pxssh ,subprocess and paramiko but have found no success. What I am ultimately trying to do is figure out a way to not only use SSH to access a server and execute commands using a python script and finish there, but also have it open an instance of the terminal after executing all the commands for continued use.
Currently the server has modules that clients have to manually activate using commands after they have established an SSH connection.
For example:
module python
This command would give the user access to python.
Following this the user would then be able to use python and all its commands through the ssh connection in the terminal.
The issue I have with the methods listed earlier for executing these commands is that it does not display an instance of the terminal. It successfully executes the commands but since these commands have to be executed every time a new SSH connection is established it's worthless unless I can get essentially a copy of the terminal that the Python script executed and loaded up all the modules with.
Does any one have a solution to this? I've scoured the web for hours to no success.
This is a very difficult issue to explain so if anything is unclear please ask me and I will try my best to rephrase things. I am very new to all this.
I have a python script which is performing some nagios configuration. The script is running as a user which has full sudo rights (the user can run any command with sudo, without password prompt). The final step in the configuration is this:
open(NAGIOS_COMMAND_FILE, 'a').write(cmdline)
The NAGIOS_COMMAND_FILE is only writable by root, so this command should be run by root. I can think of two ways of achieving this (both unsatisfactory):
Run the whole script as root. I do not like doing this, since any error in my script will be executed with full root rights.
Put the open(NAGIOS_COMMAND_FILE, 'a').write(cmdline) command in a separate script, and use the subprocess library to call that script, with sudo. I do not like creating an extra script just to run a single command.
I suppose there is no way of changing the running user just for a single command, in my current script, or am I wrong?
Why don't you give write permission on NAGIOS_COMMAND_FILE to your user who have all sudo rights?
Never, ever run a web server as root or as a user with full sudo privileges. This isn't a pythonic thing, it is a "keep my server from being pwned" thing.
Look at os.seteuid, the "principle of least privilege", and man sudoers and run your server as regular "httpd-server" where "httpd-server" has sudoer permission to write to NAGIOS_COMMAND_FILE. And then be sure that what you write to the command file is as clean as you can make it.
It is actually possible to change user for a single command.
Fabric provides a way to log in as any user to a server. It relies on ssh connections I believe. So you could connect to localhost with a different user in your python script and execute the desired command.
http://docs.fabfile.org/en/1.4.3/api/core/decorators.html
Anyway, as others have already precised, it is best to allow the user running the script permission to execute this one command and avoid relying on root for execution.
I would agree with the post above, either give your user write perms to the NAGIOS_COMMAND_FILE or add that use to a group that has those permissions, like nagcmd.