[Fixed]-Execute Python Script as Root (seteuid vs c-wrapper)


sudo does not require setuid bit on Python. You can enable sudo for one command only, no arguments:

 www          ALL=(ALL)       NOPASSWD:  /root/bin/reload-stuff.py ""

This would be secure if your script does not take any arguments, cannot be overridden by www user, and sudo does “env_reset” (the default in most distros).

You can accept arguments, but be very careful with them — do not take output filenames, make sure you verify all inputs. In this case, remove “” from the end of sudo line.



The correct thing is called privilege separation: clearly identify minimal set of tasks which have to be done on elevated privileges. Write a separate daemon and an as much limited as possible way of communicating the task to do. Run this daemon as another user with elevated privileges. A bit more work, but also more secure.

EDIT: using a setuid-able wrapper will also satisfy the concept of privilege separation, although I recommend having the web server chrooted and mounting the chrooted file system nosuid (which would defeat that).



sudo allows you to limit arguments passed to the program. From man sudoers:

john           ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*

On the ALPHA machines, user john may su to anyone except root but
he is not allowed to specify any options to the su(1) command.

So use sudo. Of course you need to be extra careful with root access – make sure only root can modify the script itself and any parent directories, and that the script is safe and only does the absolute minimum that needs to be run as root.

Leave a comment