I am running a linux command using subprocess.Popen module in python.
proc = subprocess.Popen(["sudo","/usr/local/adduser"],shell=False,stdin=subprocess.PIPE,stdout=subprocess.PIPE).communicate()
But that is prompting for password.
Is it possible to enter password with a python file? (I mean automatically)
There are obvious reasons not to do that, but if you really want, you may use pyexpect module to drive applications interacting with the terminal (e.g. programs asking passwords).
sudo can be configured not to ask a password, and it's probably a better solution for your specific example than storing any password in a file.
Related
I am using fabric right now to upload a large directory of files to ~100 different servers. These servers don't have rsync installed, so that's out of the question. Right now, I am using the upload_project method to accomplish this which is working well on the test servers I have, but I have heard that ftp (even if it's sftp) isn't allowed on some of these servers and that I might also need to limit the bandwidth of the transfer. To avoid these problems, I am trying to use scp, however, I am having some issues. I originally thought I could just go by the code in the rsync_project method and do something like local("scp -r %s %s" % (local_str, remote_str). However, scp still wants a password. So, I echoed the env.password to scp, which worked, but then it needed me to type yes to accept the key. I know I could just echo the password and echo yes to any key prompt, but I was wondering if there was some other way to accomplish this without all of the prompts. Also, sadly, the version of fabric on the server (which I cannot update) is a bit behind (1.6ish) and doesn't have the context-lib functionality that can handle prompts.
I was wondering if there was some other way to accomplish this without all of the prompts
The answer is not exactly related to Fabric. In the case of your scp command, you should look into the StrictHostKeyChecking option, to skip the known hosts key check. Example usage:
scp $src $dest -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null
It sounds like you've addressed the issue with the password prompt; was there anything else you were trying to solve here?
I'm very inexperienced when it comes to UNIX privileges. I have a Python script that starts some other Python scripts and also other programs like tcpdump. All those processes are started via subprocess.Popen, some of the programs are opened in terminals (via the x-terminal-emulator -e option).
Some of the scripts/programs need to be started as root, however. I have tried to split up the whole functionality in smaller scripts and only use sudo when it's necessary. Now my problem is that my setup requires me to enter my root password like 3 or 4 times everytime I start up the whole thing.
What I am looking for is a way to enter my password once when I start the original script, but only grant actual root permissions at specified places in my scripts. Can anyone help me out? :)
One way of doing this is to start as root, fork all sub-processes and then drop your privileges in the (sub-)processes that don't need the privileges.
For an example, see here
There are some other suggestions as well in the same post.
I am calling a Python script supplied as part of a package from a Bash script I wrote, which calls the script in addition to doing various other things. Specifically, earlier on in the Bash script, I use a Zenity password dialog to get the user's MySQL root password and store it in a Bash variable to do some database setup. Later on, the Python script is called, and it too wants the user's MySQL root password.
I tried simply reusing the variable containing the password by using a pipe and a here string, but neither works; the script simply hangs there until I return to the terminal and enter the password again. I dug a bit into the Python script and found it uses getpass to ask for the password. Is there any way I can give it the password from the previously-created Bash variable so that I only have to ask the user for it once through a GUI?
If the information is allready present in a bash variable (say the name is pwd), IMHO the simplest solution is to export it to the environment.
export pwd
Then you can get it in the Python script :
pwd = os.environ('pwd')
So I've recently stumbled upon python fabric api and have been really happy with how it can help me with day-to-day sysadmin tasks. I would like to start using it at work but it is a very security-conscious environment. I was wondering how fabric handles the ssh password you provide to it while it runs it's tasks? I'm assuming it plonks it in memory somewhere and pulls it out when required to login to the next host in env.hosts? How does it protect this password while in memory?
I can see I'm going to be asked lots of questions along these lines so I'm looking for a nice way to explain to security-minded type of people that fabric is nice and friendly and doesn't pose a risk or at least no more of a risk than anything else we already have :)
I looked briefly through the source #dm03514 referenced and I believe you are correct in that if and when fabric needs to prompt interactively for a password, it will read it into memory and store it for the duration of the fabric python process. The way to address your concern is not with fabric itself but with ensuring your ssh infrastructure is using keys instead of passphrases and ssh agent forwarding where appropriate. Use enrypted ssh keys and ssh-agent to unlock them and fabric will be able to utilize that same mechanism and thus avoid ssh passwords getting involved at all. For sudo passwords, you'll either have to allow passwordless sudo or accept the risk of fabric having the sudo password in memory while it is working.
I have a python script which is performing some nagios configuration. The script is running as a user which has full sudo rights (the user can run any command with sudo, without password prompt). The final step in the configuration is this:
open(NAGIOS_COMMAND_FILE, 'a').write(cmdline)
The NAGIOS_COMMAND_FILE is only writable by root, so this command should be run by root. I can think of two ways of achieving this (both unsatisfactory):
Run the whole script as root. I do not like doing this, since any error in my script will be executed with full root rights.
Put the open(NAGIOS_COMMAND_FILE, 'a').write(cmdline) command in a separate script, and use the subprocess library to call that script, with sudo. I do not like creating an extra script just to run a single command.
I suppose there is no way of changing the running user just for a single command, in my current script, or am I wrong?
Why don't you give write permission on NAGIOS_COMMAND_FILE to your user who have all sudo rights?
Never, ever run a web server as root or as a user with full sudo privileges. This isn't a pythonic thing, it is a "keep my server from being pwned" thing.
Look at os.seteuid, the "principle of least privilege", and man sudoers and run your server as regular "httpd-server" where "httpd-server" has sudoer permission to write to NAGIOS_COMMAND_FILE. And then be sure that what you write to the command file is as clean as you can make it.
It is actually possible to change user for a single command.
Fabric provides a way to log in as any user to a server. It relies on ssh connections I believe. So you could connect to localhost with a different user in your python script and execute the desired command.
http://docs.fabfile.org/en/1.4.3/api/core/decorators.html
Anyway, as others have already precised, it is best to allow the user running the script permission to execute this one command and avoid relying on root for execution.
I would agree with the post above, either give your user write perms to the NAGIOS_COMMAND_FILE or add that use to a group that has those permissions, like nagcmd.