0
I'm setting up a system (Ubuntu 18 Desktop). The computer is (mostly) used to control some hardware using a web browser application for the front end and a server. The server is written in Python/Cherrypy. Runs on a local network.
The general idea is that the user profile (say, Foobar) for end-users of the hardware would be controlling it through the browser. However, I still need to launch the server somehow, but here's the catch: I do NOT want Foobar to be able to view/access the source python code directly. I will also have another admin account for maintenance purposes (e.g. me).
What are my options to accomplish this? A few thoughts, but I'm not sure how/if they would work:
- Have a script (bash?) that is run at startup. The script itself has execute (only?) rights on (...)/sourcecode/servermain.py and can thus launch the server. The user profile itself has no rights to that folder whatsoever.
- Foobar has execute rights only on (...)/sourcecode/servermain.py. Therefore the profile can launch the code at startup, but since it has no read/write access it cannot view anything. But then would Foobar still be able to, say, download the file on some USB key? That would be an issue.
- Other ideas/approaches?
Other details: I know I could eventually compile the Python code but that's not an option for various reasons right now. I need a solution that's based on user profiles/access rights.
The Foobar profile would be logged in at startup. This is basically meant so that users can just sit @ the computer & controle the machine right away with everything already setup for them to use with minimal fuss. The thing is in an access controlled room and the user profile will not have admin rights on the system.
Hadn't thought about seeing it as a service. Good idea. What happens then if the service for whatever reason crashes? Scouting the docs for systemd, seems I can setup some auto-restart (so that ideally Foobar has nothing to do)? – Francky_V – 2020-02-17T13:37:46.390