以 root 身份运行 python 脚本
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/22574201/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Running python script as root
提问by moesef
I have the following script:
我有以下脚本:
#!/usr/bin/env python
import sys
import pyttsx
def main():
print 'running speech-text.py...'
engine = pyttsx.init()
str = "Hi..."
if len(sys.argv) > 1:
str = sys.argv[1]
engine.say(str)
engine.runAndWait()
if __name__ == '__main__':
main()
and I have placed it in /usr/bin/speech-test.py
我已经把它放在 /usr/bin/speech-test.py
I have also given it executable permissions and ownership to root:
我还赋予它可执行权限和所有权给 root:
sudo chown root:root /usr/bin/speech-test.py
sudo chmod 4755 /usr/bin/speech-test.py
However, this script will only run correctly if I run as sudo speec-test.py. If I try to run it as just speech-test.pyit complains about not finding a bunch of ALSA lib files.
但是,如果我以sudo speec-test.py. 如果我尝试运行它,speech-test.py它会抱怨找不到一堆 ALSA lib 文件。
Am I missing something to have my script run with root privileges?
我是否缺少让我的脚本以 root 权限运行的东西?
采纳答案by janos
So you want the script to run as root, even without sudo? For that you would need to set the setuid biton the script with sudo chmod u+s program. However, most Unix distributions allow this only for binaries, and not for scripts, for security reasons. In general it's really not a good idea to do that.
所以您希望脚本以 方式运行root,即使没有sudo? 为此,您需要在脚本上设置setuid 位sudo chmod u+s program。但是,出于安全原因,大多数 Unix 发行版只允许对二进制文件执行此操作,而不允许对脚本执行此操作。一般来说,这样做真的不是一个好主意。
If you want to run this script as root, you will have to run as sudo. Or, you have to create a binary that runs your script, so that you can set the setuid bit on this binary wrapper. This related questionexplains more.
如果要以 root 身份运行此脚本,则必须以sudo. 或者,您必须创建一个运行脚本的二进制文件,以便您可以在此二进制包装器上设置 setuid 位。这个相关的问题解释了更多。
It's also a good idea to check the effective uid, and if it's not root then stop running. For that, add this near the top (thanks @efirvidafor the tip!)
检查有效的 uid 也是一个好主意,如果它不是 root 则停止运行。为此,将其添加到顶部附近(感谢@efirvida的提示!)
if not os.geteuid() == 0:
sys.exit("\nOnly root can run this script\n")
ORIGINAL ANSWER
原答案
Maybe your user and root use a different version of python, with different python path, and different set of libraries.
也许你的用户和 root 使用不同版本的 python,不同的 python 路径和不同的库集。
Try this:
尝试这个:
command -v python
sudo command -v python
If the two commands don't give the same result then you either need to change the setup of the users to use the same version of python(the one that has the ALSA libs), or hardcode the python version the first line of the script.
如果这两个命令没有给出相同的结果,那么您要么需要更改用户的设置以使用相同版本python(具有 ALSA 库的版本),或者在脚本的第一行硬编码 python 版本。
Also try adding a print sys.pathline in the script, and run with your user and with sudoand compare. Probably you'll get different results. You may need to tweak the PYTHONPATHvariable of your user.
还可以尝试print sys.path在脚本中添加一行,并与您的用户一起运行sudo并进行比较。可能你会得到不同的结果。您可能需要调整PYTHONPATH用户的变量。
It shouldn't be necessary to make the owner of the script root, and to run it with sudo. You just need to configure pythonand PYTHONPATHcorrectly.
没有必要让脚本的所有者成为 root,并使用sudo. 你只需要配置python和PYTHONPATH正确。
回答by Hot.PxL
Its running privilege is the same as the one who ran it. So if you ran it as yourself, it won't have su privilege. You have to do it sudo.
它的运行权限与运行它的人相同。因此,如果您以自己的身份运行它,它将没有 su 权限。你必须这样做sudo。
回答by JimiMyFr13nd
I'm not really sure if this is a great method. I tried it and it works fine on arch linux. Let me what you think. If you write a script to execute the .py as different system group, that group can own a python interpreter and have specified root capabilities.
我不确定这是否是一个很好的方法。我试过了,它在 arch linux 上运行良好。让我怎么想。如果您编写脚本以将 .py 作为不同的系统组执行,则该组可以拥有一个 Python 解释器并具有指定的 root 权限。
mkdir roottest && cd roottest
sudo cp /usr/bin/python<ver> ./
sudo groupadd -r rootpython
sudo usermod -a -G rootpython <user>
newgrp rootpython
sudo chown root:rootpython python<ver>
sudo chmod 750 $bin #that way a normal user can't rwx the python interpreter and the rootpython group cant write.
sudo setcap <caps> ./python<ver> #now the group has specify caps allowing it to act like root
sudo getcap ./python<ver>
sudo sh
touch rootfile && echo "original text" > rootfile
open a new prompt as regular user
以普通用户身份打开一个新提示
newgroup rootpython
cd roottest && ./python<ver>
>> open('rootfile', 'w').write("different text")
sudo cat rootfile
This method is way more secure than sudo if used properly because python can only do what you let it and does not have complete control of the system. The downside is having to either make a copy of the interpreter or to not allow the regular user's group to use it. DO NOT run all your python code like this, its a big vulnerability if not needed. The cap_net_admin+ep will allow you to change the kernal var ip_forward and for the example above you need cap_dac_override+ep. You can also create a newuser that belongs to the rootpython group, that way you can't just newgrp rootpython without entering the newuser's password.
如果使用得当,这种方法比 sudo 更安全,因为 python 只能做你让它做的事情,并且不能完全控制系统。缺点是要么制作解释器的副本,要么不允许普通用户组使用它。不要像这样运行所有的 python 代码,如果不需要,它是一个很大的漏洞。cap_net_admin+ep 将允许您更改内核变量 ip_forward,对于上面的示例,您需要 cap_dac_override+ep。您还可以创建一个属于 rootpython 组的新用户,这样您就不能在不输入新用户密码的情况下只使用 newgrp rootpython 。
