python - Simplest way to switch the linux users through the web (django) without sudo? -

-

aim: create user friendly web interface linux program without ssh (console) terrible stuff. have chosen python + django + apache. problem: user should login through browser linux user , user`s requests should served on behalf of linux user. now, server run root , when user login through browser, server root can switch required user using django user name:

 uid = pwd.getpwnam(username)[2] os.setuid(uid)

and can execute django stuff on behalf of appropriate user.

the problem server must run root! how provide possibility run server usual apache user rights providing login linux user through browser? (just user name , pwd http post request , login appropriate user using python)?

update: need map user via web specific linux user give him home directory execute specific linux program specific user! guess realized in webmin?

possible solution: execute "su username" doesn't work without terminal:

  p = subprocess.popen(["su", "test"], stdout = subprocess.pipe, stdin = subprocess.pipe, stderr = subprocess.stdout) suout = p.communicate(input="test")[0] print suout

i got: "su: must run terminal"

i'm not sure "standard" approaches dealing problem. however, simple technique environments small number of users doesn't involve sudo, nor changing uid inside web server (this very problematic concurrent access multiple users).

launch daemon process each user having access application. process should serve web requests user on fastcgi (substitute protocol of choice). web server should have user port number mapping. then, redirect gateway's requests proper fastcgi process based on logon used django user.

example (using internal redirects nginx, assuming setup fastcgi):

  1. user foo logs on django web application
  2. user requests page /.../
  3. django application receives request /.../ user foo
  4. django application returns custom http header x-accel-redirect indicate internal redirect /delegate/foo/.../.
  5. nginx forwards finds location /delegate/foo/ associated fastcgi handler on port 9000
  6. fastcgi handler running user foo , grants access stuff in home directory.

you can substitute web server , communication protocol combinations of choice. used fastcgi here because allows write both gateway and handler django applications. chose nginx because of internal redirect feature. prevents impersonation direct use of /delegate/foo/.../ urls users other foo.

update

example:

assuming have flup module, can start fastcgi server directly using django. start django application on fastcgi under specific user account, can use:

sudo -u $user python /absolute/path/to/manage.py runfcgi host=127.0.0.1 port=$port

substitute $user user name , $port unique port user (no 2 users can share same port).

assuming nginx configuration, can set like:

location /user/$user {     internal;      fastcgi_pass 127.0.0.1:$port;     # additional fastcgi configuration... }

make sure add 1 such directive each $user , $port combination above.

then, front-end django application, can check permissions , stuff using:

@login_required def central_dispatch_view ( request ):     response = httpresponse()     response['x-accel-redirect'] = '/user/'+request.user.username     return response

disclaimer: totally untested, , year after original answer, i'm not sure possible, because documentation on xsendfile in nginx specifies should work static files. haven't inquired further know if can perform internal nginx redirect fastcgi application.

alternate solution: better approach might not involve internal redirects, instead use fastcgi authorizer. basically, fastcgi program webserver runs before serving request. then, can bypass shady internal redirect thing , have fastcgi authorizer check if request accessing /user/foo/ can django user logged in foo. authorizer program won't able run django application (since not http request/response cycle), can write using flup , access django settings.


Comments

Post a Comment

Popular posts from this blog

linux - Mailx and Gmail nss config dir -

-
i trying send mail linux command line using mailx command. can send local domain no problem want set mail send gmail account receive mail sent gmail account. after configuring mail.rc so: account gmail { set smtp=smtps://smtp.gmail.com:587 set smtp-auth=login set smtp-auth-user=username@gmail.com set smtp-auth-password=password set ssl-verify=ignore } i error: resolving host smtp.gmail.com . . . done. connecting 74.125.25.109 . . . connected. missing "nss-config-dir" variable. "/home/username/dead.letter" 11/354 . . . message not sent. after looking "nss-config-dir" here , located certn.db , keyn.db files , added mail.rc so: account gmail { set smtp=smtps://smtp.gmail.com:587 set smtp-auth=login set smtp-auth-user=username@gmail.com set smtp-auth-password=password set ssl-verify=ignore set nss-config-dir=/home/user/.mozilla/firefox/location.default } now when try send mail using command: echo "sent gmail account" | mailx -v -a
Read more

c# - Is it possible to remove an existing registration from Autofac container builder? -

-
something along lines: builder.registertype<mytype>().as<itype>(); builder.registertype<mytype2>().as<itype>(); builder.deregistertype<mytype>().as<itype>() var container = builder.build(); var types = container.resolve<ienumerable<itype>>(); assert.istrue(types.count == 1); assert.istrue(types[0].gettype == typeof(mytype2)); scenario: go through bunch of assemblies , go register types want make sure have 1 implementation of given type. need before create container. track on own nice if autofac me bit. this cannot done directly using containerbuilder , unless start on new one. mind you, having first built container should able construct new container filtering away unwanted types , reusing registrations first container. this: ... var container = builder.build(); builder = new containerbuilder(); var components = container.componentregistry.registrations .where(cr => cr.activator.limittype != typ
Read more

php - Mysql PK and FK char(36) vs int(10) -

-
i have read mysql can handle indexes , searches better if tables keys integers rather char(36) uuid's. is worth converting int(10)? note: use 1 server , have have plans use multiple databases concurrently therefore removing 1 of big reasons using uuid. our tables innodb if makes difference. thanks in advance. usually rdbms can handle integer keys pk more efficient, other datatypes. reason how build index column, yes: long dont require string (or other typed) keys, should use integers. however: char(36) , int(10) far away being equal, because int(10) much smaller, char(36). dont know, if require many different keys, should keep in mind. update, complete last paragraph: int(10) 32-bit, char(36) 36 - ^byte^ (= 288-bit). not mean, int consumes less space, means, char(36) has 4 times more different keys.
Read more