Is it possible to give an application read and write permissions to folder and files during its work without giving users which use the application these permission?
i write a software in python which is working with some files. I want to ensure that these files only can manipulate by the software. So my thougt was to create a folder without read an write rights and allowing only the application to read and write in this folder.
Is this possible?
not sure if this helps bit what i would try and do is is set the application to create a local service account first with admin rights then when the application relaunches set it to run run as that service account then any folders created will be via that service account and therefore you can create a folder, modify its permissions to only be managed by that service account, brief steps below
application launches and checks if the service account exists if not then create the service account and assign to relevant admin group, once complete re-launch as that service account
once launched create the relevant directory
modify the directory's settings so all users are removed exp the service account
I think the above might work, good luck!
Related
I got my first flask webapp (hello.py) working (deployed) on Azure. I want to add more functionality to this webapp. According to documentation I am following
(https://medium.com/#nikovrdoljak/deploy-your-flask-app-on-azure-in-3-easy-steps-b2fe388a589e)
I should test my files (hello.py, home.html etc) locally and use git push to send new files to Azure cloud. I should restart my application to see changes.
(1) Is there a way to edit these files on Azure cloud using say emacs ?
(2) Related to (1) on which path do these files exist on Azure ? I clicked on cloudshell and a terminal popped up. It is apparently my home directory. I can see only one directory (clouddrive). I cannot see hello.py. I also went to .scm.azurewebsites.net and clicked on bash. I do get a command prompt but cannot see hello.py.
Thanks.
Under Development Tools you should have App Service Editor (Preview)
If you click on that it should allow you to edit the files via the portal.
I am working on a Python based web application for collaborative xml/document editing, and one requirement from the client is that users should be able to push the files they created (and saved on the server) directly to a Github remote repo, without the need of ever creating a local clone on the server (i.e., no local working directory or tracking of any sort). In GUI terms, this would correspond to going to Github website and manually add the file to the remote repo by clicking the "Upload files" or "create new file" button, or simply edit the existing file on the remote repo on the Github website and then commit the change inside the web browser. I wonder is this functionality even possible to achieve either using some Python Github modules or writing some code from scratch using the Github API or something?
So you can create files via the API and if the user has their own GitHub account, you can upload it as them.
Let's use github3.py as an example of how to do this:
import github3
gh = github3.login(username='foo', password='bar')
repository = gh.repository('organization-name', 'repository-name')
for file_info in files_to_upload:
with open(file_info, 'rb') as fd:
contents = fd.read()
repository.create_file(
path=file_info,
message='Start tracking {!r}'.format(file_info),
content=contents,
)
You will want to check that it returns an object you'd expect to verify the file was successfully uploaded. You can also specify committer and author dictionaries so you could attribute the commit to your service so people aren't under the assumption that the person authored it on a local git set-up.
Python 3.4, Django 1.7, Windows apache 2.4.12
I am trying to list all files on a Windows shared drive (which is restricted to certain users), and later write couple of files to the shared drive.
I am using os.listdir to do this. It works well if I just run the web app on my machine, but once it's deployed on the actual server it will stop working.
The problem is the permission on the Windows shared drive. User has to login first so I do have their username and password.
My question is how to supply os.listdir with username and password?
I tried os.listdir('//windows/share/drive/dir#domanin/username:password') but the system will try to look for the file instead of passing username and password.
Does any one know how to solve this? Or I need to map the drive (how do I map drive with credential?), list files, write files, then disconnect the mapped drive?
Thank you so much.
You should take a look on net use Windows command. It lets you to mount any network resources with given credentials.
Before accessing network resource, you can execute from Python net use command, like this:
net use \\computername\path\to\dir /user:username password
If credentials are correct, network resource will be accessible, and os.listdir() will work.
There can be some issues if given resource was already mounted with different credentials. In such case you should unmount them first (net use \\computername\path\to\dir /delete)
According to the Python manual os.listdir(path) only takes the path name as the argument. It probably works for you locally using the Django test server as permissions are different in that environment than using a production webserver like Apache or Nginx. Try looking at the following pre-existing related SO questions and answers - they might offer you some guidance, especially on a Win box:
What is the best way to map windows drives using Python?
python copy files to a network location on Windows without mapping a drive
I'm just about getting started on deploying my first live Django website, and I'm wondering how to set the Ubuntu server file permissions in the optimal way for security, whilst still granting the permissions required.
Firstly a question of directories: I'm currently storing the site in ~/www/mysite.com/{Django apps}, but have often seen people using /var/www/... or /srv/www; is there any reason picking one of these directories is better than the other? or any reason why keeping the site in my home dir is a bad idea?
Secondly, the permissions of the dir and files themselves. I'm serving using apache with mod_wsgi, and have the file WSGIScriptAlias / ~/www/mysite.com/mainapp/wsgi.py file. Apache runs as www-data user. For optimal security who should own the wsgi.py file, and what permissions should I grant it and its containing dir?
Similarly, for the www, www/mysite.com, and www/mysite.com/someapp directories? What are the minimal permissions that are needed for the dirs and files?
Currently I am using 755 and 644 for dir and files respecitvely, which works well enough which allows the site to function, but I wonder if it is optimal/too liberal. My Ubuntu user is the owner of most files, and www-data owns the sqlite dbs.
In regards to serving the application from your home directory, this is primarily preference based. However, deployment decisions may be made depending on the situation. For example, if you have multiple users making use of this server to host their website, then you would likely have the files served from their home directories. From a system administrator's perspective that is deploying the applications; you may want them all accessible from /var/www... so they are easier to locate.
The permissions you set for serving the files seem fine, however they may need to run as different users... depending on the number of people using this machine. For example, lets say you have one other application running on the server and that both applications run as www-data. If the www-data user has read permissions of Django's config file, then the other user could deploy a script that can read your database credentials.
I'm writing a web application in Python (on Apache server on a Linux system) that needs to connect to a Postgres database. It therefore needs a valid password for the database server. It seems rather unsatisfactory to hard code the password in my Python files.
I did wonder about using a .pgpass file, but it would need to belong to the www-data user, right? By default, there is no /home/www-data directory, which is where I would have expected to store the .pgpass file. Can I just create such a directory and store the .pgpass file there? And if not, then what is the "correct" way to enable my Python scripts to connect to the database?
No matter what approach you use, other apps running as www-data will be able to read your password and log in as you to the database. Using peer auth won't help you out, it'll still trust all apps running under www-data.
If you want your application to be able to isolate its data from other databases you'll need to run it as a separate user ID. The main approaches with this are:
Use the apache suexec module to run scripts as a separate user;
Use fast-cgi (fcgi) or scgi to run the cgi as a different user; or
Have the app run its own minimal HTTP server and have Apache reverse proxy for it
Of these, by far the best option is usually to use scgi/fcgi. It lets you easily run your app as a different unix user but avoids the complexity and overhead of reverse proxying.
Install the application and its config files in its own directory different from the static files directory and only readable by the application user.
Set another user to run the application and use the WSGIDaemonProcess directive.
All of that and much more is clearly described in the mod_wsgi site, in the Quick Configuration Guide, Configuration Guidelines and Configuration Directives