From clint.olsen at gmail.com  Mon Jan 30 13:53:20 2023
From: clint.olsen at gmail.com (Clint Olsen)
Date: Mon, 30 Jan 2023 10:53:20 -0800
Subject: [Flask] Unable to subprocess.run() as regular user
Message-ID: <CA+imRYL5C1tBdYDWbm583_rr1frC3PnC4E4eSFYK987V_3naoA@mail.gmail.com>

Hi,

In order to perform certain operations as a regular user especially on NFS
volumes where we disallow root (squash) for security purposes, I have a
context manager which enables it to temporarily step down:

@contextmanager
def run_as(user):
    pwd_entry = get_pwd(user)

    grp_entry = grp.getgrnam('foobar')

    os.setegid(grp_entry.gr_gid)

    # Step down
    #
    os.seteuid(pwd_entry[2])

    _ctxt = Ctx()

    yield _ctx

    # Return
    #
    os.seteuid(0)
    os.setegid(0)

However, when I use this with subprocess.run(cwd=/some_path) I end up
getting a PermissionError:

Jan 30 10:26:50 mybox gunicorn[29730]: Traceback (most recent call last):
Jan 30 10:26:50 mybox gunicorn[29730]:   File
"/opt/local/python3.8/lib/python3.8/site-packages/gunicorn/arbiter.py",
line 589, in spawn_worker
Jan 30 10:26:50 mybox gunicorn[29730]:     worker.init_process()
Jan 30 10:26:50 mybox gunicorn[29730]:   File
"/opt/local/python3.8/lib/python3.8/site-packages/gunicorn/workers/ggevent.py",
line 146, in init_process
Jan 30 10:26:50 mybox gunicorn[29730]:     super().init_process()
Jan 30 10:26:50 mybox gunicorn[29730]:   File
"/opt/local/python3.8/lib/python3.8/site-packages/gunicorn/workers/base.py",
line 142, in init_process
Jan 30 10:26:50 mybox gunicorn[29730]:     self.run()
Jan 30 10:26:50 mybox gunicorn[29730]:   File
"/opt/local/python3.8/lib/python3.8/site-packages/gunicorn/workers/ggevent.py",
line 86, in run
Jan 30 10:26:50 mybox gunicorn[29730]:     self.notify()
Jan 30 10:26:50 mybox gunicorn[29730]:   File
"/opt/local/python3.8/lib/python3.8/site-packages/gunicorn/workers/ggevent.py",
line 48, in notify
Jan 30 10:26:50 mybox gunicorn[29730]:     super().notify()
Jan 30 10:26:50 mybox gunicorn[29730]:   File
"/opt/local/python3.8/lib/python3.8/site-packages/gunicorn/workers/base.py",
line 75, in notify
Jan 30 10:26:50 mybox gunicorn[29730]:     self.tmp.notify()
Jan 30 10:26:50 mybox gunicorn[29730]:   File
"/opt/local/python3.8/lib/python3.8/site-packages/gunicorn/workers/workertmp.py",
line 46, in notify
Jan 30 10:26:50 mybox gunicorn[29730]:     os.fchmod(self._tmp.fileno(),
self.spinner)
Jan 30 10:26:50 mybox gunicorn[29730]: PermissionError: [Errno 1] Operation
not permitted

I can work around this by having a special exec wrapper script which
performs similar operations to the above context manager, but it would be
nice if I could make the context manager work correctly.

Thanks,

-Clint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.python.org/pipermail/flask/attachments/20230130/a1ccfe76/attachment.html>

From ub at artfacts.net  Mon Jan 30 13:57:21 2023
From: ub at artfacts.net (ulrich berthold)
Date: Mon, 30 Jan 2023 19:57:21 +0100
Subject: [Flask] Unable to subprocess.run() as regular user
In-Reply-To: <CA+imRYL5C1tBdYDWbm583_rr1frC3PnC4E4eSFYK987V_3naoA@mail.gmail.com>
References: <CA+imRYL5C1tBdYDWbm583_rr1frC3PnC4E4eSFYK987V_3naoA@mail.gmail.com>
Message-ID: <20261d7c-6632-c9ad-647b-82dc93b6ac2f@artfacts.net>


On 30.01.23 19:53, Clint Olsen wrote:
> Hi,
>
> In order to perform certain operations as a regular user especially on 
> NFS volumes where we disallow root (squash) for security purposes, I 
> have a context manager which enables it to temporarily step down:
>
> @contextmanager
> def run_as(user):
> ? ? pwd_entry = get_pwd(user)
>
> ? ? grp_entry = grp.getgrnam('foobar')
>
> ? ? os.setegid(grp_entry.gr_gid)
>
> ? ? # Step down
> ? ? #
> ? ? os.seteuid(pwd_entry[2])
>
> ? ? _ctxt = Ctx()
>
> ? ? yield _ctx

that a typo? ^^

_ctxt != _ctx


>
> ? ? # Return
> ? ? #
> ? ? os.seteuid(0)
> ? ? os.setegid(0)
>
> However, when I use this with subprocess.run(cwd=/some_path) I end up 
> getting a PermissionError:
>
> Jan 30 10:26:50 mybox gunicorn[29730]: Traceback (most recent call last):
> Jan 30 10:26:50 mybox gunicorn[29730]: ? File 
> "/opt/local/python3.8/lib/python3.8/site-packages/gunicorn/arbiter.py", 
> line 589, in spawn_worker
> Jan 30 10:26:50 mybox gunicorn[29730]: worker.init_process()
> Jan 30 10:26:50 mybox gunicorn[29730]: ? File 
> "/opt/local/python3.8/lib/python3.8/site-packages/gunicorn/workers/ggevent.py", 
> line 146, in init_process
> Jan 30 10:26:50 mybox gunicorn[29730]: super().init_process()
> Jan 30 10:26:50 mybox gunicorn[29730]: ? File 
> "/opt/local/python3.8/lib/python3.8/site-packages/gunicorn/workers/base.py", 
> line 142, in init_process
> Jan 30 10:26:50 mybox gunicorn[29730]: ? ? self.run()
> Jan 30 10:26:50 mybox gunicorn[29730]: ? File 
> "/opt/local/python3.8/lib/python3.8/site-packages/gunicorn/workers/ggevent.py", 
> line 86, in run
> Jan 30 10:26:50 mybox gunicorn[29730]: ? ? self.notify()
> Jan 30 10:26:50 mybox gunicorn[29730]: ? File 
> "/opt/local/python3.8/lib/python3.8/site-packages/gunicorn/workers/ggevent.py", 
> line 48, in notify
> Jan 30 10:26:50 mybox gunicorn[29730]: ? ? super().notify()
> Jan 30 10:26:50 mybox gunicorn[29730]: ? File 
> "/opt/local/python3.8/lib/python3.8/site-packages/gunicorn/workers/base.py", 
> line 75, in notify
> Jan 30 10:26:50 mybox gunicorn[29730]: ? ? self.tmp.notify()
> Jan 30 10:26:50 mybox gunicorn[29730]: ? File 
> "/opt/local/python3.8/lib/python3.8/site-packages/gunicorn/workers/workertmp.py", 
> line 46, in notify
> Jan 30 10:26:50 mybox gunicorn[29730]: os.fchmod(self._tmp.fileno(), 
> self.spinner)
> Jan 30 10:26:50 mybox gunicorn[29730]: PermissionError: [Errno 1] 
> Operation not permitted
>
> I can work around this by having a special exec wrapper script which 
> performs similar operations to the above context manager, but it would 
> be nice if I could make the context manager work correctly.
>
> Thanks,
>
> -Clint
>
>
> _______________________________________________
> Flask mailing list
> Flask at python.org
> https://mail.python.org/mailman/listinfo/flask
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.python.org/pipermail/flask/attachments/20230130/8c4a86d8/attachment.html>

From clint.olsen at gmail.com  Mon Jan 30 14:02:05 2023
From: clint.olsen at gmail.com (Clint Olsen)
Date: Mon, 30 Jan 2023 11:02:05 -0800
Subject: [Flask] Unable to subprocess.run() as regular user
In-Reply-To: <20261d7c-6632-c9ad-647b-82dc93b6ac2f@artfacts.net>
References: <CA+imRYL5C1tBdYDWbm583_rr1frC3PnC4E4eSFYK987V_3naoA@mail.gmail.com>
 <20261d7c-6632-c9ad-647b-82dc93b6ac2f@artfacts.net>
Message-ID: <CA+imRYL0BRSbAphm1UjHvTq5ZLPoRrSs7_uzFJgwHV-22_mwww@mail.gmail.com>

Yes, that was a typo. I was trying to edit this snippet for brevity and not
send a bunch of irrelevant stuff to the mailing list.

Thanks,

-Clint

On Mon, Jan 30, 2023 at 10:57 AM ulrich berthold <ub at artfacts.net> wrote:

>
> On 30.01.23 19:53, Clint Olsen wrote:
>
> Hi,
>
> In order to perform certain operations as a regular user especially on NFS
> volumes where we disallow root (squash) for security purposes, I have a
> context manager which enables it to temporarily step down:
>
> @contextmanager
> def run_as(user):
>     pwd_entry = get_pwd(user)
>
>     grp_entry = grp.getgrnam('foobar')
>
>     os.setegid(grp_entry.gr_gid)
>
>     # Step down
>     #
>     os.seteuid(pwd_entry[2])
>
>     _ctxt = Ctx()
>
>     yield _ctx
>
> that a typo? ^^
>
> _ctxt != _ctx
>
>
>
>     # Return
>     #
>     os.seteuid(0)
>     os.setegid(0)
>
> However, when I use this with subprocess.run(cwd=/some_path) I end up
> getting a PermissionError:
>
> Jan 30 10:26:50 mybox gunicorn[29730]: Traceback (most recent call last):
> Jan 30 10:26:50 mybox gunicorn[29730]:   File
> "/opt/local/python3.8/lib/python3.8/site-packages/gunicorn/arbiter.py",
> line 589, in spawn_worker
> Jan 30 10:26:50 mybox gunicorn[29730]:     worker.init_process()
> Jan 30 10:26:50 mybox gunicorn[29730]:   File
> "/opt/local/python3.8/lib/python3.8/site-packages/gunicorn/workers/ggevent.py",
> line 146, in init_process
> Jan 30 10:26:50 mybox gunicorn[29730]:     super().init_process()
> Jan 30 10:26:50 mybox gunicorn[29730]:   File
> "/opt/local/python3.8/lib/python3.8/site-packages/gunicorn/workers/base.py",
> line 142, in init_process
> Jan 30 10:26:50 mybox gunicorn[29730]:     self.run()
> Jan 30 10:26:50 mybox gunicorn[29730]:   File
> "/opt/local/python3.8/lib/python3.8/site-packages/gunicorn/workers/ggevent.py",
> line 86, in run
> Jan 30 10:26:50 mybox gunicorn[29730]:     self.notify()
> Jan 30 10:26:50 mybox gunicorn[29730]:   File
> "/opt/local/python3.8/lib/python3.8/site-packages/gunicorn/workers/ggevent.py",
> line 48, in notify
> Jan 30 10:26:50 mybox gunicorn[29730]:     super().notify()
> Jan 30 10:26:50 mybox gunicorn[29730]:   File
> "/opt/local/python3.8/lib/python3.8/site-packages/gunicorn/workers/base.py",
> line 75, in notify
> Jan 30 10:26:50 mybox gunicorn[29730]:     self.tmp.notify()
> Jan 30 10:26:50 mybox gunicorn[29730]:   File
> "/opt/local/python3.8/lib/python3.8/site-packages/gunicorn/workers/workertmp.py",
> line 46, in notify
> Jan 30 10:26:50 mybox gunicorn[29730]:     os.fchmod(self._tmp.fileno(),
> self.spinner)
> Jan 30 10:26:50 mybox gunicorn[29730]: PermissionError: [Errno 1]
> Operation not permitted
>
> I can work around this by having a special exec wrapper script which
> performs similar operations to the above context manager, but it would be
> nice if I could make the context manager work correctly.
>
> Thanks,
>
> -Clint
>
>
> _______________________________________________
> Flask mailing listFlask at python.orghttps://mail.python.org/mailman/listinfo/flask
>
> _______________________________________________
> Flask mailing list
> Flask at python.org
> https://mail.python.org/mailman/listinfo/flask
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.python.org/pipermail/flask/attachments/20230130/8e111354/attachment-0001.html>