Join Log in
Score:0
GregoirePelegrin avatar Ubuntu

Allow restricted bash users to run specific python script

re flag
GregoirePelegrin

I need to allow a particular user to run a specific python script. This user has access to a restricted bash which for now allows only the clear command.
Usually, the script would be run through python3 script_name.py. In this case, the goal is to restrict the users capabilities at the maximum. Thus, I would like to not give access to the python3 command to the user.
Is there a way to restrict the use of the python3 command to the specific python3 script_name.py or a way to automatically and temporarily switch user to an authorized one, run the script, and then switch back to the original user?
Thanks a lot!

Edit:
While searching further information regarding the capabilities of the restricted shell and its configuration, I found this page, on which is said:

When a command that is found to be a shell script is executed (see Shell Scripts), rbash turns off any restrictions in the shell spawned to execute the script.

Does this mean that creating a .sh file containing python3 script_name.py in the base folder for the user and adding the execution rights to this file should solve my issue? It is after all a shell script and thus should be exempted from restrictions.

Update: While a script didn't solve my issue, @muru pointed me to a functional workaround.
I created a "launcher.py" executable file in the user's commands location containing only the following:

#! /usr/bin/python3

import sys
sys.path.insert([1], <path_to_actual_script>)

import <actual_script>

This allows the user to run the launcher.py command while not directly having access to the program.

261
1 + 3
muru avatar
us flag
muru
Yes, using a script should avoid the issue, since the assumption is that you have vetted all scripts available for the restricted user. However, why not just make the script executable and use `#! /usr/bin/python3` as the shebang?
1
Reply
GregoirePelegrin avatar
re flag
GregoirePelegrin
I'll try both methods, and i'll let you know which works and which doesn't. In case your solution works, you might want to post this as an answer so I can accept it.
0
Reply
GregoirePelegrin avatar
re flag
GregoirePelegrin
Turns out using a script returns the same error as using the `python3` command directly, it doesn't work. Instead, I worked with what you recommended, I explain it in my edit.
0
Reply
Score:1
Jacek Marcin Jaworski avatar Ubuntu
um flag
Jacek Marcin Jaworski

This is posible in theory. You have to:

  1. Install firejail - sandbox in Ubuntu. It is suitable for apps provided in deb and appimage packages;
  2. Create custom firejail profile for bash (restricted to use sudo, python3 and script_name.py);
  3. Create script restricted_bash.sh - it has to start bash in firejail with custom bash profile;
  4. Change user shell in /etc/passwd to restricted_bash.sh;
  5. Modify script_name.py: add #!/usr/bin/python3 as first line.

Note: This is not tested!

Note: The disadwantage is that you have give user access to the python3 - is normal because firejail restrictions are destiny and probably can not be escalated on demand (e.g. when you run script_name.py).

Note: bash have many build in commands, and you can not disable them in that way. In order to drop them all you will have to use other shell or even create custom restricted shell.

+ 4
GregoirePelegrin avatar
re flag
GregoirePelegrin
Regarding firejail, I am not sure what it does, especially after reading your note stating that the user would be given access to the `python3` command. I am using a restricted shell already to limit the set of commands accessible to the user to `clear` only, so adding `python3` wouldn't be difficult, although this is something I would like to avoid. I will look further into the possibilities that a restricted shell can provide.
0
Reply
Jacek Marcin Jaworski avatar
um flag
Jacek Marcin Jaworski
Explanation: firejail is sandbox in Ubuntu. It is suitable for apps provided in deb and appimage packages. snap packages canot work with firejail. flatpack packages probably canot work with firejail. The advantage of firejail is simplicity and flexibility - this is oposite to snap which is beyond of user control.
0
Reply
GregoirePelegrin avatar
re flag
GregoirePelegrin
I am not sure how this would solve my issue at hand here, but I'll keep this in mind for future applications! Do you have an idea on how this would restrict the use of the `python3` command?
0
Reply
Jacek Marcin Jaworski avatar
um flag
Jacek Marcin Jaworski
No, I have no idea how to use `python3` without aces it.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.