[Flask] Unable to subprocess.run() as regular user

ulrich berthold ub at artfacts.net
Mon Jan 30 13:57:21 EST 2023 

On 30.01.23 19:53, Clint Olsen wrote:
> Hi,
>
> In order to perform certain operations as a regular user especially on 
> NFS volumes where we disallow root (squash) for security purposes, I 
> have a context manager which enables it to temporarily step down:
>
> @contextmanager
> def run_as(user):
>     pwd_entry = get_pwd(user)
>
>     grp_entry = grp.getgrnam('foobar')
>
>     os.setegid(grp_entry.gr_gid)
>
>     # Step down
>     #
>     os.seteuid(pwd_entry[2])
>
>     _ctxt = Ctx()
>
>     yield _ctx

that a typo? ^^

_ctxt != _ctx


>
>     # Return
>     #
>     os.seteuid(0)
>     os.setegid(0)
>
> However, when I use this with subprocess.run(cwd=/some_path) I end up 
> getting a PermissionError:
>
> Jan 30 10:26:50 mybox gunicorn[29730]: Traceback (most recent call last):
> Jan 30 10:26:50 mybox gunicorn[29730]:   File 
> "/opt/local/python3.8/lib/python3.8/site-packages/gunicorn/arbiter.py", 
> line 589, in spawn_worker
> Jan 30 10:26:50 mybox gunicorn[29730]: worker.init_process()
> Jan 30 10:26:50 mybox gunicorn[29730]:   File 
> "/opt/local/python3.8/lib/python3.8/site-packages/gunicorn/workers/ggevent.py", 
> line 146, in init_process
> Jan 30 10:26:50 mybox gunicorn[29730]: super().init_process()
> Jan 30 10:26:50 mybox gunicorn[29730]:   File 
> "/opt/local/python3.8/lib/python3.8/site-packages/gunicorn/workers/base.py", 
> line 142, in init_process
> Jan 30 10:26:50 mybox gunicorn[29730]:     self.run()
> Jan 30 10:26:50 mybox gunicorn[29730]:   File 
> "/opt/local/python3.8/lib/python3.8/site-packages/gunicorn/workers/ggevent.py", 
> line 86, in run
> Jan 30 10:26:50 mybox gunicorn[29730]:     self.notify()
> Jan 30 10:26:50 mybox gunicorn[29730]:   File 
> "/opt/local/python3.8/lib/python3.8/site-packages/gunicorn/workers/ggevent.py", 
> line 48, in notify
> Jan 30 10:26:50 mybox gunicorn[29730]:     super().notify()
> Jan 30 10:26:50 mybox gunicorn[29730]:   File 
> "/opt/local/python3.8/lib/python3.8/site-packages/gunicorn/workers/base.py", 
> line 75, in notify
> Jan 30 10:26:50 mybox gunicorn[29730]:     self.tmp.notify()
> Jan 30 10:26:50 mybox gunicorn[29730]:   File 
> "/opt/local/python3.8/lib/python3.8/site-packages/gunicorn/workers/workertmp.py", 
> line 46, in notify
> Jan 30 10:26:50 mybox gunicorn[29730]: os.fchmod(self._tmp.fileno(), 
> self.spinner)
> Jan 30 10:26:50 mybox gunicorn[29730]: PermissionError: [Errno 1] 
> Operation not permitted
>
> I can work around this by having a special exec wrapper script which 
> performs similar operations to the above context manager, but it would 
> be nice if I could make the context manager work correctly.
>
> Thanks,
>
> -Clint
>
>
> _______________________________________________
> Flask mailing list
> Flask at python.org
> https://mail.python.org/mailman/listinfo/flask
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.python.org/pipermail/flask/attachments/20230130/8c4a86d8/attachment.html>

More information about the Flask mailing list