I’m in the process of teaching myself Python/wxPython. I decided to write a sample app that would allow me to “read” my log files (//var/log) into my GUI. I’ve got the GUI built and I’ve got it reading the files (when I launch it as root) but how do I go about prompting the user for the SU password when they aren’t root? I’ve tried using OS.System(‘su’) but this just locks up the application as it waits for a password that’s never coming.
I guess what I’m asking, is there any way for me to specify both SU and the password in a single BASH command? Maybe using SUDO? I’ve seen apps all over the place pop up a GUI asking for the root password, so I believe it’s possible.
Thanks,
AOPQFL*
*Another Obscure Programming Question From LarsenMTL
You need to write the password to su’s standard input. How you’d do that in Python, I have no idea. With the basic POSIX API, you use a combination of fork(), exec(), and dup2() to create a child process, redirect its standard input and output to file handles that the parent can read and write, then execute su.
Note that running su as a child process won’t cause the parent process (your program) to gain superuser privileges. Anything you need to do as root will have to be done through su. It sounds like what you’d do is start a child process running “su -c ‘cat /var/log’”, write the password to its standard input, then read the text of /var/log from its standard output.
You can try messing with kdesu to do this, but the set up time for all the kde initialization stuff is excessive for a web app.
su - “cat /var/log/messages” will prompt for the root password and can be passed to a script. The password could be passed in reply, although this isn’t a good solution.
Can you give your user the permissions needed to read the file? You know that it will be the UID executing the process that will need to read the file, so you could change the ownership of the log file from, say, 540 owned by root:adm to 540 owned by root:<group of your UID>
If user lee of the group nmi was running the script, and the ownership of /var/log/messages was changed to root:nmi, then it should work with no password.
Or, you could add the username running your script to the /etc/group entry for adm. That should work, too.
Don’t put passwords in scripts. Set up proper permissions and priveleges.
I agree with leenmi–this can be done without prompting for passwords, by appropriately changing user and group permissions (unless you want to require a password for looking at your logfiles). Also, rather than changing the permissions so that all individual users have read permission on /var/log you could make your script (or the subprocess which reads and processes the logfiles) setuid/setgid to a user/group with read permissions in that directory. (Don’t make it setuid root or any other high-privilege account if you can possibly avoid it. Ideally it’s a user or group having only read permissions on the logfiles and no other special privileges.)
Thanks Mr2001, leenmi, and Omphaloskeptic. I’ll take your advice and do it outside of the code by changing permissions or using kdesu (I haven’t decided). kdesu looks pretty slick, popping up the box for me but the permission route seems faster and “cleaner”.
leenmi, I said to myself last night as I posted that - “If it’s Linux, I bet you leenmi will respond.” Thanks once again for your assistance.
Post a question about Solaris and I’ll be even more sure to respond.
Seriously, though, I post to the Linux threads because I think Linux is more fun than Windows and more people would use it if they saw how easy it really is. Sure, there are things people don’t know but take a stroll through General Questions and tell me:
How much do they really know about Windows?
Glad you are having fun with it to hack up some scripts.
