Re: my computer is allergic to pickles
On 5 March 2011 02:14, MRAB wrote: ... >> Any comments, suggestions? >> You obviously can't feed your computer pickles then. How about a tasty tidbit of XML? Served up in a main dish of DOM, or serially if preferred? -- http://mail.python.org/mailman/listinfo/python-list
Re: English Idiom in Unix: Directory Recursively
On 20 May 2011 18:21, rusi wrote: > On May 20, 1:48 pm, Hans Georg Schaathun wrote: > > On 20 May 2011 06:55:35 GMT, Steven D'Aprano < > [email protected]> wrote: > > > > : On Thu, 19 May 2011 22:13:14 -0700, rusi wrote: > > : > > : > [I agree with you Xah that recursion is a technical word that should > not > > : > be foisted onto lay users.] > > : > > : I think that is a patronizing remark that under-estimates the > > : intelligence of lay people and over-estimates the difficulty of > > : understanding recursion. > > > > Could we then say that «recursion is a technical word that should > > not /unnecessarily/ be foisted onto lay users»? > > Yes. > Steven is talking about the fact that the intelligent lay user may be > intelligent. > I was referring to the fact that the intelligent lay user is a lay > user. [Not my main point except to say that dragging in > alt.usage.english into a discussion of recursion seemed a tad > unnecessary and unfair] > > So the ILU may understand recursion > He may not know "recursion" > -- > > As a trainer there is an issue as to whether or not you should use words that your trainees will not understand, the argument being that if you don't use new words your trainees will not learn any new words. It is also very much a Unix philosophy that if you want idiots, feed them idiot food, so think very carefully about what you put on the menu. I think recursion was very much a list processing concept for list processing languages. I like the purity of LISP, but COBOL for business applications any day. -- http://mail.python.org/mailman/listinfo/python-list
Re: English Idiom in Unix: Directory Recursively
The beginning of wisdom is to call things by their right names. - Chinese Proverb (So I'm told at least, I'd check with the Chinese first though ;) -- http://mail.python.org/mailman/listinfo/python-list
Best way to gain root privileges
I'm sure this question is as old as time, but what is the best way to gain root privileges? (Am using Python 2.6.5, pygtk2 v2.16, Gtk v2.18.9, on RHEL6.) Ta, G. gmotion PyGTK desktop GUI for Motion (software motion detector) http://code.google.com/p/gmotion/ -- http://mail.python.org/mailman/listinfo/python-list
Re: Best way to gain root privileges
OK, thanks for the tips. gksu* does not seem to be included with RHEL6 Desktop (though there is a package called beesu), and besides which it appears gksu is deprecated[1]. Either way c wrapper or sudo approach it is a tactical decision, and the former is probably a better option with the problem I have (though I will at the end of the day probably use both). I googled c wrapper and there are a ton of issues, type of c system call to use, closing/reopening file handles, etc. Whole books have been written on the subject. The philosophy at the end of the day I think is do your own thing so a hacker cannot download the code you used. [1] http://live.gnome.org/gksu Having said that I'm possibly arriving at the conclusion that a quick perl script might be the simplest/easiest and most secure option - I read perl includes code to safely run suid perl scripts - will dig out my perl tomes. G. On 16 February 2011 22:45, Emile van Sebille wrote: > On 2/16/2011 1:26 PM GSO said... >> >> I'm sure this question is as old as time, but what is the best way to >> gain root privileges? (Am using Python 2.6.5, pygtk2 v2.16, Gtk >> v2.18.9, on RHEL6.) >> > > have root's password? > > Emile > > > -- > http://mail.python.org/mailman/listinfo/python-list > -- http://mail.python.org/mailman/listinfo/python-list
Best way to gain root privileges
Apols for being a nuisance. I'm normally if anything a web programmer. It looks like there are set-id functions in the os module. Further I don't actually need root privileges, just write access to a directory that a user ordinarily does not have write access to (and preferably not read). So a call to os.setegid(egid) with a group created for the program's use alone would do this then. (Unless this is bad technique security wise otherwise, as a uid 0 seteuid call would be considered; but surely what I am thinking of doing is not a security risk.) > I have almost no experiences with Perl, but I really doubt, that the general > problem would be solved with it. > Quoting from the article linked to by Steven D'Aprano: "If you are new to secure programming, I recommend either sudo or a Perl script. SUID Perl scripts have built-in protection to prevent programmers from making the mistakes addressed in this article." Perl has something called 'tainted mode' built in, which for example will prevent what it judges as untrustworthy data being appended to the end of the passwd file. -- http://mail.python.org/mailman/listinfo/python-list
Re: Best way to gain root privileges
> pretty much better off with sudo, or a tiny C wrapper that's so simple
> it's hard to get wrong. However, perl's taint feature would be useful
This snippet is about as tiny as it gets in C I think:
#include
int main (int argc, char ** argv) {
int err;
char *newenv[] = { NULL };
if ((err = execle("/usr/bin/pauseme", "pauseme", NULL, newenv)) < 0 ) {
exit(err);
}
return 0; // never reached!
}
http://linuxgazette.net/67/tag/20.html
But even this is considered to be risky.
--
http://mail.python.org/mailman/listinfo/python-list
Re: Best way to gain root privileges
> > Passing things through sudo(1) is really the only sensible route these > days but even that can be fraught with peril. For something as simple > as, 'Write to a normally restricted area' it's probably no more secure > than an ACL (and potentially way less if you screw up the sudo > configuration). > OK, so I'm heading towards sudo then, aiming to make sure I don't screw up the configuration. This is a home CCTV application, so I want things as secure as possible. A setgid wrapper would require the kind of skilled programming that I couldn't do myself in order to keep things at a high level of security, but sudo I can handle. There is also policykit http://live.gnome.org/PolicyKit which I mentioned in the initial post I think - not sure if this python lib can be used to do what I need though... https://fedorahosted.org/python-slip/ -- http://mail.python.org/mailman/listinfo/python-list
Re: Best way to gain root privileges
I essentially don't want to take a risk with a home CCTV prog., so unless I can persuade a highly skilled Unix programmer to write a wrapper (which I can't), then I think I'm best sticking with sudo. -- http://mail.python.org/mailman/listinfo/python-list
Re: Best way to gain root privileges
> I'm having a awfully hard time figuring out why a home CCTV > application might need privilege at all. Are you sure you really need > privilege? It sounds to me like there may be some larger design > issues mandating the need for privilege when it's not really > necessary. > A user login should only able to view the footage. It's important that a user login cannot delete any images/video. This much can be done with ACL - but having said that a user login would still be able to copy the images/video, so ACL would work but is not ideal - I could prevent copying with raised privileges. If I were to allow a user to archive footage without using an admin login then that would require ACL with write access, which is out of the question. If a camera loses its connection I think it's OK to let a user restart the camera without using gksu, but this would require raised privileges. There are other misc. points where I need write access. The directory where images are stored by the live feed can become 'messy' (for want of a better way of putting it), write access is needed to tidy it up before live camera images can be viewed, it's not really appropriate to use gksu here every time a user wants to view the live images. Also (I don't know exactly how I'm going to do this yet) but I'm thinking I might use the system log functions (syslogd) as part of a scheme to ensure the integrity of saved footage and the archive. As a misc. point, I'm wondering why redhat 6 hasn't included gksu in with its gnome, policykit is there, but gksu is at this point omitted. (The policykit widget is not included with pygtk, or at least the version I'm using.) There is a package from another repo (beesu) that is a gksu replacement, but it's not ideal to be rummaging around in all corners of the Internet for code as critical as this. -- http://mail.python.org/mailman/listinfo/python-list
Best way to gain root privileges
> > Could restarts and cleanups be done with a root daemon separate from user > scripts? > I like the idea of a user creating a login as you do typically with client/server progs, no need to have the root password all the time: http://www.python.org/dev/peps/pep-3143/ http://pypi.python.org/pypi/python-daemon http://docs.python.org/library/multiprocessing.html#module-multiprocessing http://docs.python.org/library/socket.html > FWIW, I recently read an article about how some internet-connected cameras > are much more accessible to the world than the owners probably intended, > even to the point, sometimes, of providing access to the built-in gui > control panel. So some thought seems appropriate in this area ;-). I'd like to read that article. My experience of wifi is that if you are not using the latest encryption standards then it will be hacked quite quickly. Otherwise if the product is cheap then I think you need to take a good look at the software running on it. I wouldn't put any CCTV anywhere near an Internet connected Windows machine (not unless someone at least in the first instance can tell me how to install the security updates without getting hacked first!). I've been looking at this type of (wired) product myself http://j.mp/gLycNf (the starting point for supported devices is here http://linuxtv.org/wiki/index.php/Hardware_Device_Information ). At the end of the day it's a dodgy business connecting any home CCTV to a network - I'll fork out on a dedicated system if I need to essentially, but Redhat 6 'seems' (I'm sure I'd soon know if it wasn't) secure, and so it's not a priority (they are expensive). Computers are hacked in 2 ways, local crime will prefer to intrude and get direct access to the keyboard, but if you have your home CCTV installed then that does quite effectively keep them out, so the CCTV software keeps itself secure. As to hacking over the Internet, I've found on a security hardened Redhat install, it seems the browser (don't run flash - use a kiosk login for this, e.g., xguest http://j.mp/eGKL19 ) can still be hacked and with hacking of the computer's memory following possibly also, but nothing that has got through to the core of the operating system as yet, so the CCTV software (I hope! you usually can tell) is safe -- I've just reminded myself to put the browser in a virtual machine at some point :) -- http://mail.python.org/mailman/listinfo/python-list
Re: Best way to gain root privileges
> Come to think of it, I would first consider creating a 'cctv' user that owns > the cameras and storage directories, and files and only do anything as root > if absolutely necessary. > You can run 'sudo -g [group] ...', so no need to go near root. > > Running any kind of script sudo'd is a bad idea, it's very very hard > (in many cases impossible) to do securely. Root permissions in general > should only be used for what they're needed for and nothing else (that > means getting the permission, doing the stuff that needs to be done as > root, and then returning back to normal privs), anything else is just > asking for trouble. > If you can do what you need to do with a dedicated group for the task/program (as above) then hopefully this would not be such an insecure approach? Better than asking for the admin. login possibly also? -- http://mail.python.org/mailman/listinfo/python-list
Re: Best way to gain root privileges
On 17 February 2011 18:39, Adam Skutt wrote: ... > As Terry suggests (and I fully concur), all of these issues are best > solved by having a privileged daemon (though it may not need to be > root or entirely root). > I think this could be done more or less with the multiprocessing module: http://docs.python.org/library/multiprocessing.html#module-multiprocessing However I would like to have a look at policykit first, it could be a more elegant solution: http://pypi.python.org/pypi?:action=search&term=polkit&submit=search http://en.wikipedia.org/wiki/PolicyKit http://www.freedesktop.org/wiki/Software/PolicyKit http://ubuntuforums.org/showthread.php?t=1359397 http://live.gnome.org/PolicyKit I note that policykit was created by redhat, and that RHEL6 does not include gksudo in with its gnome for some odd reason. -- http://mail.python.org/mailman/listinfo/python-list
Re: Best way to gain root privileges
On 18 February 2011 20:21, Alexander Kapps wrote: ... > IIUC, than SELinux can also help, since it allows program-specific > permissions. But I could easily be wrong here since I have yet to really > learn SElinux. Who has, LOL! If you could post a (very very) quick 'I don't have a PhD in computer security' guide I'm sure we'd all be very grateful :) -- http://mail.python.org/mailman/listinfo/python-list
Re: Best way to gain root privileges
On 18 February 2011 20:23, Alexander Kapps wrote: ... > Don't know if this helps you, but at least for CentOS 5.4, gksudo is > available in the gksu package from rpmforge. It looks as though policykit includes similar functionality, namely the command pkexec replaces gksudo: http://hal.freedesktop.org/docs/polkit/pkexec.1.html http://hal.freedesktop.org/docs/polkit/polkit.8.html http://www.freedesktop.org/wiki/Software/PolicyKit A python package: http://pypi.python.org/pypi?:action=search&term=polkit&submit=search But there is example python code here: http://hal.freedesktop.org/docs/polkit/polkit-apps.html I'm still not clear exactly how this works but will post some code once I figure it out. -- http://mail.python.org/mailman/listinfo/python-list
Re: Best way to gain root privileges
> http://hal.freedesktop.org/docs/polkit/pkexec.1.html > http://hal.freedesktop.org/docs/polkit/polkit.8.html > http://www.freedesktop.org/wiki/Software/PolicyKit > > A python package: > > http://pypi.python.org/pypi?:action=search&term=polkit&submit=search > > But there is example python code here: > > http://hal.freedesktop.org/docs/polkit/polkit-apps.html > A quick note for completeness on policykit - it takes two config files to manage policykit (which threw me a bit), see pkexec, but see also pklocalauthority to authorise users: http://hal.freedesktop.org/docs/polkit/pklocalauthority.8.html http://mdzlog.alcor.net/2010/06/27/navigating-the-policykit-maze/ Also on the subject of creating/ running a daemon from init, a template for python code to do this here: http://www.jejik.com/articles/2007/02/a_simple_unix_linux_daemon_in_python/ -- http://mail.python.org/mailman/listinfo/python-list
