Hi everyone,
I have a Python program (A) that run under a regular user account. (good)
When some events occur in (A) I need to modify my nftables and only the root is allowed to do so.
I’ve come up with 3 ways to do that (if you know other please share) but I don’t which would be the best.
- Make a
sudocall from (A) withfrom subprocess import runbut I will need to store the password ! and I don’t think is possible to keep it encrypted and decrypted when need it (it’s a flaw)
. - Make (A) writing a file with the requests. Create a (B) daemon (that run as root) that check that file every X and do the necessary
. - Make (A) do an IPC ( Linux socket ) to (B) daemon (that run as root) and does the necessary.
I suppose that the solution 2 is less heavy that the 3 ? But if I’m not mistaken it will react also slower ?
Thanks.
🐧
- Is the usual solution, but instead of file use unix socket and user/group permissions as auth - the running user has to be part of some group so that the control client (A) can access the control socket of (B) daemon.
Alternatively you could use capabilities:
Thank you very much @taaz
So you say 2 but with
unix socketso it the same as my proposal number 3 ? no ?I’ll check
capabilitiesYeah kinda, unix socket does count as ipc
Method 2 could use inotify to wake up when the file charges. It wouldn’t have to poll. Method 3 could launch from inetd so it wouldn’t have to always be running if these events are infrequent.
Have you looked into the suid bit? You can set it on the file, then change the script owner to root and it runs in elevated mode: https://linuxhandbook.com/suid-sgid-sticky-bit/
