0

I am trying to run python script in Apache 2.x with mod_python. I edited httpd.conf with publisher

    LoadModule python_module /usr/local/apache2/modules/mod_python.so
 <Directory /usr/local/apache2/htdocs/mod_python>

SetHandler mod_python
PythonHandler mod_python.publisher
PythonDebug On

I am trying to add a rule in firewall using python script which require root privilege. it's asking for root privilege ? Please somebody help.

    #!/usr/local/bin/python
    #from mod_python import apache
    import sys
    import errno
    import pf

    def index(req):
         filter = pf.PacketFilter()

         try:
              # Enable packet filtering
              filter.enable()
              print  "pf is enabled"
              return "pf is enabled"
         except IOError, (err, msg):
                if err == errno.EACCES:
                      #sys.exit("Permission denied: are you root?")
                       return ("Permission denied: are you root?")
                elif err == errno.ENOTTY:
                        #sys.exit("ioctl not supported by the device: is the pf device correct?")
                        return ("ioctl not supported by the device: is the pf device correct?")

this is python script which i want to execute though apache at openBSD. it uses mod_python.

Improve this question
4
  • please, man ! your question is VERY hard to understand. Also, this thing you are describing seems VERY wrong to me. only change fw state through pfctl(8). post us a link to your script so we can help. httpd is running as user www as it is priviledge separated, so not permitting it to sudo is the correct behaviour. so: more info , more clarity. Commented Apr 9, 2013 at 12:33
  • i now noticed that you use apache2 from ports (why?) so this isn't chrooted by default. as what user are you running httpd? Commented Apr 9, 2013 at 13:01
  • @ramrunner mod_python version 3.x support apache 2.x only. I am trying to add rule in pf using GUI. On Clicking a button a python script will execute and rule will be added.. I embedded mod_python in apache2 and trying to execute python script. But it's asking root privilege. How can i configure things to execute such script. Commented Apr 10, 2013 at 4:19
  • Well have never seen this pypf thing , (and can't yet see its purpose). But as i see it, (and Graham Dumpleton said) if this thing uses ioctl the only way to make it work is to run the whole apache as root. this together with running the mod_python as root is an extremely bad bad bad idea. So two approaches could work: (a) dump this pypf thing and write your own wrappers on top of pfctl. (b) instead of using this pypf program directly have it run as root in a separate python program and only comminicate with it with the actual mod_py program that will run as www (via a unix socket maybe?). Commented Apr 15, 2013 at 13:30

2 Answers 2

Reset to default
1

Please post your python script somewhere and give us the link. How is your python script trying to communicate with pf? through pfctl? lets say you are tryng to add an IP to a table

pfctl -t thetable -T add x.x.x.x

Find out which user runs apache 

ps aux | grep apache

Then you must edit /etc/sudoers to have that user be able to run the pfctl command without a password. So lets say that you run apache as www. place the following in sudoers :

www ALL=(ALL:ALL) NOPASSWD: /sbin/pfctl

Finally in the python script (lets say you call the external command with subprocess)

from subprocess import call
call(["sudo","pfctl","-T","theTable","-t","add", "x.x.x.x"])

But please keep in mind that the whole scheme is really a bad idea and you shouldn't do it that way. get rid of the python script if you can and run the bundled apache 1.3 which is privseped and audited. Run the webserver in a chroot. Never expose the control of your firewall to user input specially when this comes over the web. I am sure that if you elaborate on what you want to do , we could find a much more efficient and secure setup.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

sir i edited the question plz have a look on it. it's not using pfctl. it's using py-pf library in python for maintaining pf.
1

You cannot run Python scripts under mod_python as the root user. This is because Apache will always drop privileges to an untrusted user. The only way to get around it would be to recompile Apache from source code and define a magic preprocessor macro which enables the security hole which allows Apache worker processes to run as root.

In summary, don't do it, it is dangerous.

Also be aware the mod_python is no longer maintained or developed and it is questionable as to whether you should use it in the first place.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.