Profile user & rights to run python code without access to source

0

I'm setting up a system (Ubuntu 18 Desktop). The computer is (mostly) used to control some hardware using a web browser application for the front end and a server. The server is written in Python/Cherrypy. Runs on a local network.

The general idea is that the user profile (say, Foobar) for end-users of the hardware would be controlling it through the browser. However, I still need to launch the server somehow, but here's the catch: I do NOT want Foobar to be able to view/access the source python code directly. I will also have another admin account for maintenance purposes (e.g. me).

What are my options to accomplish this? A few thoughts, but I'm not sure how/if they would work:

  • Have a script (bash?) that is run at startup. The script itself has execute (only?) rights on (...)/sourcecode/servermain.py and can thus launch the server. The user profile itself has no rights to that folder whatsoever.
  • Foobar has execute rights only on (...)/sourcecode/servermain.py. Therefore the profile can launch the code at startup, but since it has no read/write access it cannot view anything. But then would Foobar still be able to, say, download the file on some USB key? That would be an issue.
  • Other ideas/approaches?

Other details: I know I could eventually compile the Python code but that's not an option for various reasons right now. I need a solution that's based on user profiles/access rights.

The Foobar profile would be logged in at startup. This is basically meant so that users can just sit @ the computer & controle the machine right away with everything already setup for them to use with minimal fuss. The thing is in an access controlled room and the user profile will not have admin rights on the system.

Francky_V

Posted 2020-02-17T13:08:59.613

Reputation: 115

Answers

1

The script itself has execute (only?) rights on (...)/sourcecode/servermain.py

Interpreters always run with the same privileges as the launching user. So if the user cannot read the script, the Python interpreter won't be able to read it either.

With binary executables you could use the 'setuid' bit to work around this – but that feature does not work with #!-using scripts.

Have a script (bash?) that is run at startup

For this thread it's really important to remember that 'On startup' and 'On user logon' are very different events. The former is privileged (programs "on startup" have root privileges or any non-root user you want), the latter is not (programs "on logon" always have only that user's privileges). This still holds even if you have auto-logon on startup configured.

Other ideas/approaches?

If it behaves like a service, why not start it like an actual service, using the OS-provided service management functions?

  1. Create a separate user account for the service.

    useradd -r webapp

  2. Create a systemd *.service file that starts it on boot.

    [Unit]
Description=Cherrypy webapp

[Service]
Type=...
User=webapp
ExecStart=/usr/bin/python ...

[Install]
WantedBy=multi-user.target

That's the usual way to start anything which needs its own account, be it a webapp or not. (Since the service manager is a privileged process, it can switch to any user it needs – completely independently from the "logged in" user if any.)

The same applies to any init system, no matter whether it's systemd or Upstart or SysV.

However, if you really don't want to do this through the init system, the other approach is to give the console user permissions to use sudo -u webapp for only those specific commands needed to start the service.

user1686

Posted 2020-02-17T13:08:59.613

Reputation: 283 655

Hadn't thought about seeing it as a service. Good idea. What happens then if the service for whatever reason crashes? Scouting the docs for systemd, seems I can setup some auto-restart (so that ideally Foobar has nothing to do)? – Francky_V – 2020-02-17T13:37:46.390

Asked: 2020-02-17T13:08:59.613

Viewed: 18 times

Active: 2020-02-17T13:30:46.543