{"id":25566,"date":"2020-05-15T12:31:48","date_gmt":"2020-05-15T10:31:48","guid":{"rendered":"https:\/\/pi3g.com\/?p=25566"},"modified":"2020-05-15T12:40:10","modified_gmt":"2020-05-15T10:40:10","slug":"secure-command-execution-with-python-subprocess-popen","status":"publish","type":"post","link":"https:\/\/pi3g.com\/de\/secure-command-execution-with-python-subprocess-popen\/","title":{"rendered":"sichere Befehlsausf\u00fchrung mit Python: subprocess.Popen"},"content":{"rendered":"

Security is important for me while developing the picockpit-client. <\/p>\n

The following applies to Linux systems (but probably is applicable to all Unix like systems, including macOS)<\/p>\n

Python allows to run external commands using the subprocess module.<\/p>\n

\n

import subprocess<\/p>\n<\/blockquote>\n

In the upcoming version of PiCockpit, users will be able to create their own buttons (simply editing a JSON file on the Pi) in order to run commands.<\/p>\n

PiCockpit will ship with three buttons by default:<\/p>\n

\"image\"<\/a><\/p>\n

These commands all require root privileges. picockpit-client, per default, runs with root privileges on your system.<\/p>\n

But other commands you want to execute, should run as less privileged users (we default to the user \u201cpi\u201d). In fact, some commands, like the Chromium Browser will refuse <\/strong>to run as root.<\/p>\n

In short, we need a solution to run these processes using a different user.<\/p>\n

This is possible, thanks to the preexec_fn<\/strong> parameter for popen.<\/p>\n

Here is my code:<\/p>\n

\n

def thread_run(self):
     def sanitize(input_string):
         #https:\/\/maxharp3r.wordpress.com\/2008\/05\/15\/pythons-minidom-xml-and-illegal-unicode-characters\/<\/a>
         RE_XML_ILLEGAL = u'([\\u0000-\\u0008\\u000b-\\u000c\\u000e-\\u001f\\ufffe-\\uffff])’ + \\
                          u’|’ + \\
                          u'([%s-%s][^%s-%s])|([^%s-%s][%s-%s])|([%s-%s]$)|(^[%s-%s])’ % \\
                          (chr(0xd800), chr(0xdbff), chr(0xdc00), chr(0xdfff),
                           chr(0xd800), chr(0xdbff), chr(0xdc00), chr(0xdfff),
                           chr(0xd800), chr(0xdbff), chr(0xdc00), chr(0xdfff))
         return re.sub(RE_XML_ILLEGAL, “”, input_string)<\/p>\n

    def demote(user, uid, gid):
         def demote_function():
             print(“starting”)
             print (‘uid, gid = %d, %d’ % (os.getuid(), os.getgid()))
             print (os.getgroups())
             # initgroups must be run before we lose the privilege to set it!
             os.initgroups(user, gid)
             os.setgid(gid)
             # this must be run last
             os.setuid(uid)
             print(“finished demotion”)
             print(‘uid, gid = %d, %d’ % (os.getuid(), os.getgid()))
             print (os.getgroups())
         return demote_function<\/p>\n

    def run_cmd(cmd, cmd_def):
         return_code = 0
         return_error = “”
         return_result = “”
         timeout = None
         user = “pi”
         if “timeout” in cmd_def:
             if isinstance(cmd_def[“timeout”], int):
                 if cmd_def[“timeout”] > 0:
                     timeout = cmd_def[“timeout”]
         if “user” in cmd_def:
             if isinstance(cmd_def[“user”], str):
                 user = cmd_def[“user”]
         try:
             print(“picontrol :: setup of user rights”)
             uid = pwd.getpwnam(user).pw_uid
             gid = pwd.getpwnam(user).pw_gid
             print(“picontrol :: requested user ” + user + ” uid ” + str(uid) + ” gid ” + str(gid))
             print(“picontrol :: starting command … “)
             print(cmd)
             proc = subprocess.Popen(
                 cmd,
                 stdout=subprocess.PIPE,
                 stderr=subprocess.PIPE,
                 preexec_fn=demote(user, uid, gid)
             )
             # TODO: handle timeout differently
                 # timeout=timeout)               
             print(“picontrol :: AFTER subprocess.Popen”)
         except FileNotFoundError:
             return_code = errno.ENOENT
             return_error = “Command not found on your system ” + ” “.join(cmd)
         # TODO: will this actually ever be called?
         except subprocess.TimeoutExpired:
             return_code = errno.ETIME
             return_error = “Command timeout expired (” + str(cmd_def[“timeout”]) + ” sec)”
         except Exception as e:
             if hasattr(e, ‘errno’):
                 return_code = e.errno
             else:
                 return_code = 1
             if hasattr(e, ‘message’):
                 return_error = str(e.message)
             else:
                 return_error = str(e)
         else:
             # process can execute normally, no exceptions at startup
             process_running = True
             while process_running:
                 if proc.poll() is not None:
                     process_running = False
                 if self.stop_flag.is_set():
                     print(“stop flag received in process_running, setting process_running to false”)
                     process_running = False
                     # and also do steps for active termination after that.
                 # half a second of resolution
                 time.sleep(0.5)
             return_code = proc.returncode
             return_error = sanitize(proc.stderr.read().decode(‘UTF-8’).rstrip(“\\r\\n”))
             return_result = sanitize(proc.stdout.read().decode(‘UTF-8’).rstrip(“\\r\\n”))<\/p>\n

        return (return_code, return_error, return_result)\n<\/p>\n<\/blockquote>\n

This code is a work in progress, so parts of it may not work. The parts I want to discuss in this blog post, however DO work.<\/p>\n

User under Linux<\/h1>\n

A user name, under Linux, will be assigned a user id, a user group, and the user will be a member<\/strong> of other groups.<\/p>\n

\/etc\/passwd<\/strong> contains the users defined on the system:<\/p>\n

\"image\"<\/a><\/p>\n

The entries can be decoded as follows:<\/p>\n

user : password : user id (uid) : group id (gid) : full name of the user (GECOS) : user home directory : login shell<\/p>\n

Interesting sidenote: storing the password in \/etc\/passwd (in an encrypted form) is optional (in case the password is not stored, an x<\/strong> is stored here); Since this file is world-readable, many systems opt to use the root-readable \/etc\/shadow instead:<\/p>\n

\"image\"<\/a><\/p>\n

which indeed contains the password.<\/p>\n

For picockpit, we get the user name from the JSON settings file, and want to set up everything else accordingly. So we start out with:<\/p>\n

\n

uid = pwd.getpwnam(user).pw_uid
\ngid = pwd.getpwnam(user).pw_gid<\/p>\n<\/blockquote>\n

\n(Be sure to import pwd<\/em>).<\/p>\n

The pwd module allows us to access the \/etc\/passwd file using Python. getpwnam looks up the corresponding line by name of the user, in our case \u201cpi\u201d, or \u201croot\u201d (or whatever you want, whatever is set up in the JSON file).<\/p>\n

This will help us obtain the user\u2019s user id (uid) and their group id (gid).<\/p>\n

Next we call subprocess.Popen:<\/p>\n

\n

proc = subprocess.Popen(
     cmd,
     stdout=subprocess.PIPE,
     stderr=subprocess.PIPE,
     preexec_fn=demote(user, uid, gid)
\n)<\/p>\n<\/blockquote>\n

The stdout and stderr are PIPEd, so we can capture them later. <\/p>\n

the preexec_fn is set to demote(user, uid, gid). <\/p>\n

Important!<\/h3>\n

This is an important bit: preexec_fn expects a function<\/strong> handle, which it will execute in the context of the new process it is starting (so the process will demote itself!). This function will run before the actual code, thus we can be sure that the code will execute in the context we want it to execute<\/strong>. <\/p>\n

The way we pass demote here, it looks as if the function is being called. <\/p>\n

But look at the definition of demote:<\/p>\n

\n

def demote(user, uid, gid):
     def demote_function():
\n<\/font>        print(“starting”)
         print (‘uid, gid = %d, %d’ % (os.getuid(), os.getgid()))
         print (os.getgroups())
         # initgroups must be run before we lose the privilege to set it!
         os.initgroups(user, gid)
         os.setgid(gid)
         # this must be run last
         os.setuid(uid)
         print(“finished demotion”)
         print(‘uid, gid = %d, %d’ % (os.getuid(), os.getgid()))
         print (os.getgroups())
     return demote_function<\/p>\n<\/blockquote>\n

This function wraps another function inside itself, which it returns. Using the syntax which is specified above we actually return a function<\/strong> but are able to pass parameters to it, too.<\/p>\n

Kind of like having your cake, and eating it. Nice \"Smile\"<\/p>\n

Here is a screenshot, in case WordPress messes with the syntax above:<\/p>\n

\"image\"<\/a><\/p>\n

OK, now I\u2019ll explain the code in this demote function:<\/p>\n

os.initgroups: <\/strong><\/p>\n

we set up the groups which the process should be a member of (yes, we have to do this \u2013 otherwise the process will only be a member of the default pi group) \u2013 this command expects the user name<\/strong><\/p>\n

os.setgid:<\/strong><\/a><\/p>\n

here we set up the group id for the new process.<\/p>\n

There is also a function os.setegid<\/a>() which is described as \u201cSet the current process\u2019s effective group id.\u201d  <\/p>\n

What is the difference?<\/p>\n

setegid sets the gid in a temporary way, so that the process can return to the original gid later. This is not what we want, since the process we are calling could upgrade it\u2019s rights back up again.<\/p>\n

os.setuid(uid):<\/a><\/strong><\/p>\n

similarly, there is a os.seteuid(euid)<\/a> function, which would allow the executed process to \u201cupgrade back\u201d. So we\u2019re not using that.<\/p>\n

<\/p>\n

The order of these commands is important! <\/strong>If we would set the user id first, we would not have sufficient privileges to set up the groups, for example. So set the user id last.<\/p>\n

<\/p>\n

Sidenote: preexec_fn could be used to set up environment variables and other things, too, to allow for more flexibility. Possibly in a future picockpit-client upgrade, let\u2019s see. <\/p>\n

Sidenote 2: the preexec_fn writes to the new process output stream (remember, it is pre-executed in it\u2019s context):<\/p>\n

That is why the debug output is sent to the picockpit frontend:<\/p>\n

\"image\"<\/a><\/p>\n

Ref<\/h2>\n