6

I have been playing around with subprocess lately. As I do more and more; I find myself needing root access. I was wondering if there is an easy way to enter the root password for a command that needs it with subprocess module. So when I am prompted for the password my script and provide it and run the command. I know this is bad practice by where the code will be running is sandboxed and separate from the rest of the system; I also dont want to be running as root.

I would really appreciate small example if possible. I know you can do this with expect, but i am looking something more python centric. I know pexpect exsists but its a bit overkill for this simple task.

Thanks.

Improve this question
5
  • I don't really understand the sentence "So when I am prompted for the password my script and provide it and run the command." Do you want the user to enter the root password, or do you want to hardcode the root password in your code? (I hope it's not the latter!) Commented Jun 3, 2011 at 15:47
  • @Sven I would like to do both; I know the latter is bad. I am just wondering if it is possible. Commented Jun 3, 2011 at 15:49
  • We would appreciate a small example of what you've tried, if possible. Commented Jun 3, 2011 at 15:50
  • See this question it's very similar stackoverflow.com/questions/4748971/django-and-root-processes/… Commented Jun 3, 2011 at 15:51
  • For the second option you will end up with the same problem as the problem discussed here: stackoverflow.com/questions/4144134/… Commented Jun 3, 2011 at 15:52

1 Answer 1

Reset to default
10

It would probably be best to leverage sudo for the user running the Python program. You can specify specific commands and arguments that can be run from sudo without requiring a password. Here is an example:

There are many approaches but I prefer the one that assigns command sets to groups. So let's say we want to create a group to allow people to run tcpdump as root. So let's call that group tcpdumpers.

First you would create a group called tcpdumpers. Then modify /etc/sudoers (using the visudo command):

# Command alias for tcpdump
Cmnd_Alias      TCPDUMP = /usr/sbin/tcpdump

# This is the group that is allowed to run tcpdump as root with no password prompt
%tcpdumpers     ALL=(ALL) NOPASSWD: TCPDUMP

Now any user added to the tcpdumpers group will be able to run tcpdump like this:

% sudo tcpdump

From there you could easily run this command as a subprocess.

This eliminates the need to hard-code the root password into your program code, and it enables granular control over who can run what with root privileges on your system.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

I recently had to do something similar for a splunk alert script. sudo is really made for this.
Note that editing the sudoers file should really be done with visudo, rather than any other arbitrary editor - otherwise it can lead to things like unix.stackexchange.com/questions/138237/…

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.