User avatar
NPDedyukhin
Posts: 29
Joined: Fri Sep 20, 2019 3:23 am
Location: RU

Setting privileges for the script

Thu Oct 10, 2019 6:49 am

Good afternoon! :)

Faced such a problem: I execute a command from the shell in a python script.

The command is executed successfully only when I launch it manually through the console using "sudo".

The command is:

Code: Select all

sudo python wifi_scan_01.py
The script itself is as follows:

Code: Select all

import os #обращаемся к оболочке
myCmd = 'iwlist wlan0 scan | grep "ESSID"' #моя команда которая через консоль вывела бы список доступных сетей wifi
os.system (myCmd) #выполняем мою команду
This is unacceptable to me, since in the future this script will be executed without my participation (it will be called from other scripts).

I want to resolve this issue without using "sudo" - as it is considered unsafe, and not entirely correct.

How can I configure privileges specifically for this script so that after its launch the command is executed successfully?

For example, I know that somehow you can use the ".policy" file to configure a specific script. But I don’t know exactly how.
How to use the Polkit library or DBus? :geek:
Respectfully,
Nikita Dedyukhin

User avatar
neilgl
Posts: 1620
Joined: Sun Jan 26, 2014 8:36 pm
Location: Near Aston Martin factory

Re: Setting privileges for the script

Thu Oct 10, 2019 9:58 am

What version of Raspbian and pi are you running it on? On my pi4 running Buster, log in as pi then not using sudo,

Code: Select all

[email protected]:~ $ iwlist wlan0 scan | grep ESSID
                    ESSID:"BlackSabbath"
                    ESSID:"NETGEAR-5G"
                    ESSID:"LedZep"
                    ESSID:"ESP_32E0E8"
And a python script like yours also returns 4 SSID, not run using sudo.

hippy
Posts: 6851
Joined: Fri Sep 09, 2011 10:34 pm
Location: UK

Re: Setting privileges for the script

Thu Oct 10, 2019 12:01 pm

Your Python program worked for me on a pi 3B using buster without a 'sudo'. But, if you do need to execute something which needs to be 'sudo' you can do that by adding the 'sudo' within the Python code -

Code: Select all

import os
myCmd = 'mkdir /magic'
os.system(myCmd)

Code: Select all

[email protected]:~/tmp $ python2 mk.py
mkdir: cannot create directory '/magic': Permission denied
[email protected]:~/tmp $
Then with the 'sudo' added -

Code: Select all

import os
myCmd = 'sudo mkdir /magic'
os.system(myCmd)

Code: Select all

[email protected]:~/tmp $ python2 mk.py
[email protected]:~/tmp $ ls /
bin   dev  home  lost+found  media  opt   root  sbin  srv  tmp  var
boot  etc  lib   magic       mnt    proc  run   snap  sys  usr
[email protected]:~/tmp $
That Python code can do anything it wants without having to run it with 'sudo' always seemed a little odd and dangerous to me but that's the way it is.

bjtheone
Posts: 463
Joined: Mon May 20, 2019 11:28 pm
Location: The Frozen North (AKA Canada)

Re: Setting privileges for the script

Thu Oct 10, 2019 12:16 pm

Depends on how you have sudo setup. Do you want convenience or security. Unrestricted sudo without requiring a password, is only slightly better than just running as root. However, it is a real Linux system, you can lock it down as tight as you want.

Out of the box, using it as a tinkering and learning platform it makes sense to remove much of the security and simplify things to make it more accessible. Forcing the use of sudo at least points out that some commands have more potential for chaos and mayhem and should at least be double checked.

User avatar
NPDedyukhin
Posts: 29
Joined: Fri Sep 20, 2019 3:23 am
Location: RU

Re: Setting privileges for the script

Thu Oct 10, 2019 2:36 pm

hippy wrote:
Thu Oct 10, 2019 12:01 pm
Your Python program worked for me on a pi 3B using buster without a 'sudo'. But, if you do need to execute something which needs to be 'sudo' you can do that by adding the 'sudo' within the Python code -

Code: Select all

import os
myCmd = 'mkdir /magic'
os.system(myCmd)

Code: Select all

[email protected]:~/tmp $ python2 mk.py
mkdir: cannot create directory '/magic': Permission denied
[email protected]:~/tmp $
Then with the 'sudo' added -

Code: Select all

import os
myCmd = 'sudo mkdir /magic'
os.system(myCmd)

Code: Select all

[email protected]:~/tmp $ python2 mk.py
[email protected]:~/tmp $ ls /
bin   dev  home  lost+found  media  opt   root  sbin  srv  tmp  var
boot  etc  lib   magic       mnt    proc  run   snap  sys  usr
[email protected]:~/tmp $
That Python code can do anything it wants without having to run it with 'sudo' always seemed a little odd and dangerous to me but that's the way it is.

Thanks, earned! ;)
Respectfully,
Nikita Dedyukhin

hippy
Posts: 6851
Joined: Fri Sep 09, 2011 10:34 pm
Location: UK

Re: Setting privileges for the script

Thu Oct 10, 2019 3:05 pm

hippy wrote:
Thu Oct 10, 2019 12:01 pm
Your Python program worked for me on a pi 3B using buster without a 'sudo'.
But then didn't, and then appeared to work with sudo, but also afterwards without ...

Code: Select all

[email protected]:~/tmp $ iwlist wlan0 scan | grep "SSID"
[email protected]:~/tmp $ iwlist wlan0 scan | grep "SSID"
[email protected]:~/tmp $ iwlist wlan0 scan | grep "SSID"
[email protected]:~/tmp $ sudo iwlist wlan0 scan | grep "SSID"
                    ESSID:"TALKTALK..."
                    ESSID:"VM..."
                    ESSID:"TP-LINK..."
 [email protected]:~/tmp $ iwlist wlan0 scan | grep "SSID"
                    ESSID:"TALKTALK..."
                    ESSID:"VM..."
                    ESSID:"TP-LINK..."
[email protected]:~/tmp $ iwlist wlan0 scan | grep "SSID"
[email protected]:~/tmp $ iwlist wlan0 scan | grep "SSID"
[email protected]:~/tmp $
I suspected it was just coincidence that using 'sudo' and getting a result led to a belief that 'sudo' was required.

Though now it seems to only work without 'sudo' after having been run with a 'sudo'.

Seems it has to be invoked with 'sudo' then non-'sudo' can be used for some period of time thereafter. Weird.

https://linux.die.net/man/8/iwlist

"Triggering scanning is a privileged operation (root only) and normal users can only read left-over scan results".

I guess leftover scan results expire.

User avatar
neilgl
Posts: 1620
Joined: Sun Jan 26, 2014 8:36 pm
Location: Near Aston Martin factory

Re: Setting privileges for the script

Thu Oct 10, 2019 3:32 pm

And is iwlist the old command and the newer iw command has more features?

Code: Select all

sudo iw wlan0 scan | egrep 'SSID|signal'
Last edited by neilgl on Fri Oct 11, 2019 5:32 pm, edited 1 time in total.

User avatar
davidcoton
Posts: 4659
Joined: Mon Sep 01, 2014 2:37 pm
Location: Cambridge, UK

Re: Setting privileges for the script

Thu Oct 10, 2019 5:23 pm

neilgl wrote:
Thu Oct 10, 2019 3:32 pm
And is iwlist the old command and the newer iw command has more features?

Code: Select all

sudo iw wlan0 scan | egrep 'SSID|signal'
Furthermore, it appears (but I have not tested) that iw does not need sudo to scan: see here.
Signature retired

hippy
Posts: 6851
Joined: Fri Sep 09, 2011 10:34 pm
Location: UK

Re: Setting privileges for the script

Thu Oct 10, 2019 5:26 pm

davidcoton wrote:
Thu Oct 10, 2019 5:23 pm
Furthermore, it appears (but I have not tested) that iw does not need sudo to scan
Seems to need sudo for me ...

Code: Select all

[email protected]:~/apps/wifiscan $ sudo iw wlan0 scan
BSS e4:f4:c6:b1:3c:40(on wlan0)
        last seen: 608285.805s [boottime]
        TSF: 0 usec (0d, 00:00:00)
        ... snip ...
[email protected]:~/apps/wifiscan $ iw wlan0 scan
command failed: Operation not permitted (-1)
While 'iw' does seem more useful, more informative than 'iwlist', 'iwconfig' etc, I do wish developers would provide backwards compatible output so one can simply swap 'iwlist' for 'iw' without having to rewrite everything which parses the output :(
Last edited by hippy on Thu Oct 10, 2019 5:33 pm, edited 1 time in total.

Andyroo

Re: Setting privileges for the script

Thu Oct 10, 2019 5:28 pm

davidcoton wrote:
Thu Oct 10, 2019 5:23 pm
neilgl wrote:
Thu Oct 10, 2019 3:32 pm
And is iwlist the old command and the newer iw command has more features?

Code: Select all

sudo iw wlan0 scan | egrep 'SSID|signal'
Furthermore, it appears (but I have not tested) that iw does not need sudo to scan: see here.
Buster (about a week out of date) does need sudo:

Code: Select all

[email protected]:~ $ iw wlan0 scan | egrep 'SSID|signal'
command failed: Operation not permitted (-1)
[email protected]:~ $ sudo iw wlan0 scan | egrep 'SSID|signal'
	signal: -68.00 dBm
	SSID: VodafoneConnectxxxxxx
	etc

User avatar
davidcoton
Posts: 4659
Joined: Mon Sep 01, 2014 2:37 pm
Location: Cambridge, UK

Re: Setting privileges for the script

Thu Oct 10, 2019 5:30 pm

hippy wrote:
Thu Oct 10, 2019 5:26 pm
davidcoton wrote:
Thu Oct 10, 2019 5:23 pm
Furthermore, it appears (but I have not tested) that iw does not need sudo to scan
Seems to need sudo for me ...

Code: Select all

[email protected]:~/apps/wifiscan $ sudo iw wlan0 scan
BSS e4:f4:c6:b1:3c:40(on wlan0)
        last seen: 608285.805s [boottime]
        TSF: 0 usec (0d, 00:00:00)
        ... snip ...
[email protected]:~/apps/wifiscan $ iw wlan0 scan
command failed: Operation not permitted (-1)
Just proves you can't believe everything you read, even software documentation :lol: :roll:
Signature retired

Andyroo

Re: Setting privileges for the script

Thu Oct 10, 2019 5:36 pm

Did not your mother teach you anything about data on the Internet.

It's only worth the value of the paper it's written on :lol: :?: :lol: :mrgreen:

bjtheone
Posts: 463
Joined: Mon May 20, 2019 11:28 pm
Location: The Frozen North (AKA Canada)

Re: Setting privileges for the script

Fri Oct 11, 2019 12:47 am

While the permission allow the execution, and an unprivileged user can run it if /sbin is in your path, it seems that privileges are required to do anything useful with it. Not quite sure what the point is to set it 755.

Return to “Beginners”