views:

72

answers:

2

Hi, I need a better way to prevent that normal users execute my python script. I'm doing something like that:

if __name__ == '__main__':
    if os.getenv('USER') == 'root':
        addUser = addUser()
    else:
        print 'Only root can run that!'

It's working, but it's pretty ugly! My script is about user management in a Debian system. Thank you and sorry about my english.

+10  A: 

Python code can be viewed and edited to circumvent any protection you put in, your best bet is to restrict executable access by user in debian so only root can execute/view/edit.

See chmod

Ian Wetherbee
+4  A: 

It's more normal to restrict access to the resources an executable needs to work than to enforce permissions at the level of the executable. For example, the mount(8) command can normally be run by any user, but the device files needed to actually mount real volumes are restricted to certain users or groups, and the mount command checks to see if the operation would be possible before even attempting to make the syscalls to perform the device operations.

This works as well with regular files. For instance, many linux package managers require a database of installed programs. Before installing anything, the package manager will check the permissions on the database file to see if the calling user could write to it, and also checks the destination directories to see if the user could modify those. even if the package manager does not perform these checks, they can't make those changes when they try, the kernel simply prevents the program from performing an action the owning user is not permitted to make.

TokenMacGuy