Hi everyone,
I have a Python program (A) that run under a regular user account. (good)
When some events occur in (A) I need to modify my nftables and only the root
is allowed to do so.
I’ve come up with 3 ways to do that (if you know other please share) but I don’t which would be the best.
- Make a
sudo
call from (A) withfrom subprocess import run
but I will need to store the password ! and I don’t think is possible to keep it encrypted and decrypted when need it (it’s a flaw)
. - Make (A) writing a file with the requests. Create a (B) daemon (that run as root) that check that file every X and do the necessary
. - Make (A) do an IPC ( Linux socket ) to (B) daemon (that run as root) and does the necessary.
I suppose that the solution 2 is less heavy that the 3 ? But if I’m not mistaken it will react also slower ?
Thanks.
🐧
If your command doesn’t change (doesn’t require dynamic input), sudoers file can make specific command+argument run without password required.
https://www.cyberciti.biz/faq/linux-unix-running-sudo-command-without-a-password/ (ctrl+f search “A better solution”)
(You can also use wildcards in sudoers file but with nftables I imagine it’s a big security risk)
You could try
pkexec
insted ofsudo
. Pkexec pops up the password prompt in a window insted of prompting in the terminal.It’s a good way of solving it. It’s not scriptable though as it requires user-input.
indeed I need it to be scriptable.
Then implement polkit perhaps? https://polkit.pages.freedesktop.org/polkit/polkit-apps.html
Basically the root using bit is handled via polkit. Three unprivileged bit calls the privileged bit via polkit.
Method 2 could use inotify to wake up when the file changes. It wouldn’t have to poll. Method 3 could launch from inetd so it wouldn’t have to always be running if these events are infrequent.
Have you looked into the suid bit? You can set it on the file, then change the script owner to root and it runs in elevated mode: https://linuxhandbook.com/suid-sgid-sticky-bit/