0

我正在尝试使用 mod_python 在 Apache 2.x 中运行 python 脚本。我与发布者一起编辑了 httpd.conf

    LoadModule python_module /usr/local/apache2/modules/mod_python.so
 <Directory /usr/local/apache2/htdocs/mod_python>

SetHandler mod_python
PythonHandler mod_python.publisher
PythonDebug On

我正在尝试使用需要 root 权限的 python 脚本在防火墙中添加规则。它要求root权限?请有人帮忙。

    #!/usr/local/bin/python
    #from mod_python import apache
    import sys
    import errno
    import pf

    def index(req):
         filter = pf.PacketFilter()

         try:
              # Enable packet filtering
              filter.enable()
              print  "pf is enabled"
              return "pf is enabled"
         except IOError, (err, msg):
                if err == errno.EACCES:
                      #sys.exit("Permission denied: are you root?")
                       return ("Permission denied: are you root?")
                elif err == errno.ENOTTY:
                        #sys.exit("ioctl not supported by the device: is the pf device correct?")
                        return ("ioctl not supported by the device: is the pf device correct?")

这是我想通过openBSD上的apache执行的python脚本。它使用 mod_python。

4

2 回答 2

1

请在某处发布您的 python 脚本并给我们链接。您的 python 脚本如何尝试与 pf 通信?通过 pfctl? 假设您正在尝试将 IP 添加到表中

pfctl -t thetable -T add x.x.x.x

找出运行 apache 的用户

ps aux | grep apache

Then you must edit /etc/sudoers to have that user be able to run the pfctl command without a password. So lets say that you run apache as www. place the following in sudoers :

www ALL=(ALL:ALL) NOPASSWD: /sbin/pfctl

Finally in the python script (lets say you call the external command with subprocess)

from subprocess import call
call(["sudo","pfctl","-T","theTable","-t","add", "x.x.x.x"])

But please keep in mind that the whole scheme is really a bad idea and you shouldn't do it that way. get rid of the python script if you can and run the bundled apache 1.3 which is privseped and audited. Run the webserver in a chroot. Never expose the control of your firewall to user input specially when this comes over the web. I am sure that if you elaborate on what you want to do , we could find a much more efficient and secure setup.

于 2013-04-10T10:20:08.080 回答
1

You cannot run Python scripts under mod_python as the root user. This is because Apache will always drop privileges to an untrusted user. The only way to get around it would be to recompile Apache from source code and define a magic preprocessor macro which enables the security hole which allows Apache worker processes to run as root.

In summary, don't do it, it is dangerous.

Also be aware the mod_python is no longer maintained or developed and it is questionable as to whether you should use it in the first place.

于 2013-04-14T04:48:45.453 回答