Search code examples
apachepython-2.7mod-pythonopenbsd

How to run python script which require root privilage for execution in apache with mod_python at openbsd

I am trying to run python script in Apache 2.x with mod_python. I edited httpd.conf with publisher

    LoadModule python_module /usr/local/apache2/modules/mod_python.so
 <Directory /usr/local/apache2/htdocs/mod_python>

SetHandler mod_python
PythonHandler mod_python.publisher
PythonDebug On

I am trying to add a rule in firewall using python script which require root privilege. it's asking for root privilege ? Please somebody help.

    #!/usr/local/bin/python
    #from mod_python import apache
    import sys
    import errno
    import pf

    def index(req):
         filter = pf.PacketFilter()

         try:
              # Enable packet filtering
              filter.enable()
              print  "pf is enabled"
              return "pf is enabled"
         except IOError, (err, msg):
                if err == errno.EACCES:
                      #sys.exit("Permission denied: are you root?")
                       return ("Permission denied: are you root?")
                elif err == errno.ENOTTY:
                        #sys.exit("ioctl not supported by the device: is the pf device correct?")
                        return ("ioctl not supported by the device: is the pf device correct?")

this is python script which i want to execute though apache at openBSD. it uses mod_python.

Solution

  • Please post your python script somewhere and give us the link. How is your python script trying to communicate with pf? through pfctl? lets say you are tryng to add an IP to a table

    pfctl -t thetable -T add x.x.x.x

    Find out which user runs apache 

    ps aux | grep apache

    Then you must edit /etc/sudoers to have that user be able to run the pfctl command without a password. So lets say that you run apache as www. place the following in sudoers :

    www ALL=(ALL:ALL) NOPASSWD: /sbin/pfctl

    Finally in the python script (lets say you call the external command with subprocess)

    from subprocess import call
call(["sudo","pfctl","-T","theTable","-t","add", "x.x.x.x"])

    But please keep in mind that the whole scheme is really a bad idea and you shouldn't do it that way. get rid of the python script if you can and run the bundled apache 1.3 which is privseped and audited. Run the webserver in a chroot. Never expose the control of your firewall to user input specially when this comes over the web. I am sure that if you elaborate on what you want to do , we could find a much more efficient and secure setup.