1

I'm going to be using python to build a web-based asset management system to manage the production of short cg film. The app will be intranet-based running on a centos machine on the local network. I'm hoping you'll be able to browse through all the assets and shots and then open any of them in the appropriate program on the client machine (also running centos). I'm guessing that there will have to be some sort of set up on the client-side to allow the app to run commands, which is fine because I have access to all of the clients that will be using it (although I don't have root access). Is this sort of thing possible?

Improve this question
1
  • Can't you do AJAX things on the client browser? Commented Oct 14, 2012 at 9:26

3 Answers 3

Reset to default
1

As you already guessed, you will need to have a service running on the client PC listening on a predetermined port.

When the client requests to open an asset, your webapp will send the request to the running service to download the asset and run it. As long as your port no. is above 1024 and you are not running any application which requires root access, you can run this service without root.

But this is a very bad idea as it exposes the clients to malicious attacks. You will have to ensure all requests to the client service is properly signed and that the client verifies each request as valid before executing it. There may be many other security factors you will have to consider depending on your implementation of the client service. But in general, having a service that can run arbitrary requests from a remote machine is a very dangerous thing to have.

You may also not be allowed to run such a service on client PC depending on your comany's IT policies.

You are better of having the client download the resource normally and then having the user execute the resource manually.

PS: You can have the client service run on a port below 1024, but it will have to start as root and after binding to the port drop all root privileges and change the running user to a different user using setuid (or the equivalent in your language of choice)

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Although I understand this isn't a particularly safe method, it's exactly what I was looking for, so thank you. As this is only an intranet thing, all the requests will come from inside the firewall (I've got the service running on a port that's blocked from outside the firewall) so I don't think I'll have to worry too much about attacks, right? At the moment the server sends a json object to the client, and then the client will run a local script depending on the information contained within it. I can't think of any security issues with that, but what do you think? Thanks for your help
How about attacks from within the intranet? Some one comes inside the office, connects to the wifi and suddenly has access to run programs on any machine running this service. Also make sure you get this client cleared by IT, I am not an office worker yet but I have a feeling that they might not like it.
But the service only executes a few very specific programs based on data that's passed to it; it doesn't allow someone to run any arbitrary commands. If the data passed to service isn't correct, then it will just ignore it. Surely that's not prone to attacks? (Thanks for the help by the way, I don't have much experience with security) I will use some sort of authentication like you mentioned though. That way the service will only accept requests from the server, right? Yeah I've got this cleared with IT, it's actually a university thing.
If you are making sure that the service can run only a specified list of commands and it verifies every request to make sure it is indeed from the server, then you are good.
1

Note this is not a standard way. Imagine the websites out there had the ability to open Notepad or Minesweeper at their will when you visit or click something.

The way it is done is, you need to have a service which is running on the client machine which can expose certain apis and trust the request from the web apps call. this needs to be running on the client machines all the time and in your web app, you can send a request to this service to launch the application that you desire.

Improve this answer

3 Comments

but websites (via browsers) have that ability. The OP could configure client browsers to open certain types of files automatically if I understand the question correctly
@J.F.Sebastian You mean mime-types? Given that he mentioned about CG environment, I am assuming that he would want to launch certain visual effects applications by clicking on the button in the webapp.
Yeah, my team is going to be working with Maya and Nuke files primarily. I've just implemented a service running on the client machine, and it just what I was looking for. Thanks.
0

If you have a specific subset of applications that will be run on the client systems (aka you are distributing jobs), then you might want to consider python salt. It is a distributed RPC which uses a secure protocol and authentication to distribute jobs and deliver results:

http://docs.saltstack.org/en/latest/topics/index.html

If you are looking at automating content generation based on specific updates then you might want to consider Jenkins, which has plugins for various revision control systems and build systems:

https://wiki.jenkins-ci.org/display/JENKINS/Meet+Jenkins

It may not have integration with the particular tools you are using, but if it does then it could be a quicker setup and administration than generic salt automation.

--David

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.