How to use su in a script

[edlentz]

I have a script that will run some system commands and they need root level access. I do not want to give the user root access. I want the user to just be able to hit the selection and have the command run. Editing the sudoers file will be cumbersome since I want to install these scripts on many machines. Isn't there a way to either:
Use SU from within the script without having to enter a password
or
editing sudoers from a script to make the installation of the scripts easier?

Thanks for any ideas

[DeaD_EyE]

Use SU from within the script without having to enter a password

Then you've to provide a password in your script or in an additional file.
This is a big security issue.

editing sudoers from a script to make the installation of the scripts easier?

For the user it's easier, but the user needs root access to edit the soduers file.
So, Python needs root access to edit /etc/sudoers.

The Best way is to let the user edit his sudoers if he wants to.
Then just run all your commands which requires root with sudo.

import subprocess


def sudo(command):
    return subprocess.run(["sudo"] + command, capture_output=True, encoding="utf8")

The user has to enter his password only once. Then it's cached with an expiration time.
If he is not in sudoers, he is not allowed to gain root rights.

You can argue with security.

[edlentz]

Use SU from within the script without having to enter a password

Then you've to provide a password in your script or in an additional file.
This is a big security issue.

editing sudoers from a script to make the installation of the scripts easier?

For the user it's easier, but the user needs root access to edit the soduers file.
So, Python needs root access to edit /etc/sudoers.

The Best way is to let the user edit his sudoers if he wants to.
Then just run all your commands which requires root with sudo.

import subprocess


def sudo(command):
    return subprocess.run(["sudo"] + command, capture_output=True, encoding="utf8")

The user has to enter his password only once. Then it's cached with an expiration time.
If he is not in sudoers, he is not allowed to gain root rights.

You can argue with security.

Thanks Dead_Eye
We decided to give the user a root password and run the script from the user_profile. Now for my next trick I want to stop them from using Control C or others to stop the script. Haven't figured that one out yet

[DeaD_EyE]

You want to read this: https://docs.python.org/3/library/signal...nal.signal

import signal


old_sigint_handler = signal.signal(signal.SIGINT, signal.SIG_IGN)

For access rights, the server admin can also configure with soduers single commands to allow them for a normal user.
Another silly way could be Private Key Authentication via SSH on the same host. Then the user can create his public/private key pair and give the public key to the admin. His private key he uses to authenticate via SSH on the same host. Just an Idea.