[Flask] Unable to subprocess.run() as regular user
ulrich berthold
ub at artfacts.net
Mon Jan 30 13:57:21 EST 2023
On 30.01.23 19:53, Clint Olsen wrote:
> Hi,
>
> In order to perform certain operations as a regular user especially on
> NFS volumes where we disallow root (squash) for security purposes, I
> have a context manager which enables it to temporarily step down:
>
> @contextmanager
> def run_as(user):
> pwd_entry = get_pwd(user)
>
> grp_entry = grp.getgrnam('foobar')
>
> os.setegid(grp_entry.gr_gid)
>
> # Step down
> #
> os.seteuid(pwd_entry[2])
>
> _ctxt = Ctx()
>
> yield _ctx
that a typo? ^^
_ctxt != _ctx
>
> # Return
> #
> os.seteuid(0)
> os.setegid(0)
>
> However, when I use this with subprocess.run(cwd=/some_path) I end up
> getting a PermissionError:
>
> Jan 30 10:26:50 mybox gunicorn[29730]: Traceback (most recent call last):
> Jan 30 10:26:50 mybox gunicorn[29730]: File
> "/opt/local/python3.8/lib/python3.8/site-packages/gunicorn/arbiter.py",
> line 589, in spawn_worker
> Jan 30 10:26:50 mybox gunicorn[29730]: worker.init_process()
> Jan 30 10:26:50 mybox gunicorn[29730]: File
> "/opt/local/python3.8/lib/python3.8/site-packages/gunicorn/workers/ggevent.py",
> line 146, in init_process
> Jan 30 10:26:50 mybox gunicorn[29730]: super().init_process()
> Jan 30 10:26:50 mybox gunicorn[29730]: File
> "/opt/local/python3.8/lib/python3.8/site-packages/gunicorn/workers/base.py",
> line 142, in init_process
> Jan 30 10:26:50 mybox gunicorn[29730]: self.run()
> Jan 30 10:26:50 mybox gunicorn[29730]: File
> "/opt/local/python3.8/lib/python3.8/site-packages/gunicorn/workers/ggevent.py",
> line 86, in run
> Jan 30 10:26:50 mybox gunicorn[29730]: self.notify()
> Jan 30 10:26:50 mybox gunicorn[29730]: File
> "/opt/local/python3.8/lib/python3.8/site-packages/gunicorn/workers/ggevent.py",
> line 48, in notify
> Jan 30 10:26:50 mybox gunicorn[29730]: super().notify()
> Jan 30 10:26:50 mybox gunicorn[29730]: File
> "/opt/local/python3.8/lib/python3.8/site-packages/gunicorn/workers/base.py",
> line 75, in notify
> Jan 30 10:26:50 mybox gunicorn[29730]: self.tmp.notify()
> Jan 30 10:26:50 mybox gunicorn[29730]: File
> "/opt/local/python3.8/lib/python3.8/site-packages/gunicorn/workers/workertmp.py",
> line 46, in notify
> Jan 30 10:26:50 mybox gunicorn[29730]: os.fchmod(self._tmp.fileno(),
> self.spinner)
> Jan 30 10:26:50 mybox gunicorn[29730]: PermissionError: [Errno 1]
> Operation not permitted
>
> I can work around this by having a special exec wrapper script which
> performs similar operations to the above context manager, but it would
> be nice if I could make the context manager work correctly.
>
> Thanks,
>
> -Clint
>
>
> _______________________________________________
> Flask mailing list
> Flask at python.org
> https://mail.python.org/mailman/listinfo/flask
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.python.org/pipermail/flask/attachments/20230130/8c4a86d8/attachment.html>
More information about the Flask
mailing list