I've been able to create a windows service using Python and following this tutorial:
http://ryrobes.com/python/running-python-scripts-as-a-windows-service/
However I tried to implement a script in this that opens up a new Outlook mail via COM. This script works outside of the service but I seem to have traced the problem back to this line:
obj = win32com.client.Dispatch("Outlook.Application")
on looking into this further, it seems that with UAC in Vista and Windows 7, came blocking of services interacting with users.
More Info - http://msdn.microsoft.com/en-us/library/windows/desktop/ms683502%28v=vs.85%29.aspx
So my question is: what's the best way around this?
I have a python script that works when I ensure to turn it on, but leaving a batch/cmd file in the startup directory seems kinda wrong.
Thanks in advance for any ideas!
Windows 7 x64 (I'm also bound by Enterprise Group policy. I have local admin rights only)
Your 'more info' link describes two techniques that might, maybe, be achievable:
"Display a dialog box in the user's session using the WTSSendMessage function"
"Create a separate hidden GUI application and use the CreateProcessAsUser function to run the application within the context of the interactive user. ..."
But as mentioned in these answers and Simon Mourier's comment, the most straightforward solution is probably service + background-process-in-user-session + IPC.
Moreover, if you're trying to create a new email via Outlook, you probably want/need something running in the user's session anyway to have proper context.
Related
We're working with an older zope version (2.10.6-final, python 2.4.5) and working with a database adapter called ZEIngresDA. We have an established connection for it, and the test function shows that it is totally functional and can connect and run queries.
My job is to change the way that the queries are actually executing, so that they're properly parameterizing variables to protect against sql injection. With that said, I'm running into a security issue that I'm hoping someone can help with.
connection = container.util.ZEIngresDAName()
#returning connection at this point reveals it to be of type ZEIngresDA.db.DA,
#which is the object we're looking for.
connection.query("SELECT * from data WHERE column='%s';", ('val1',))
#query is a function that is included in class DA, functions not in DA throw errors.
Here we run into the problem. Testing this script brings up a login prompt that, when logged into, immediately comes up again. I recognize that this is likely some type of security setting, but I've been unable to find anything online about this issue, though this old of zope documentation isn't spectacular online anyways. If this sounds familiar to you or you have any ideas, please let me know.
I have some experience using Zope2 but it's hard to give a good answer with the limited information you've posted. I'm assuming here that you're using a Python script within the ZMI
Here's a list of things I would check:
Are you logged into the root folder rather than a sub folder in the ZMI? This could cause a login prompt as you're requesting a resource that you do not have access to use
In the ZMI double check the "security" tab of the script you're trying to run to ensure that your user role has permission to run the script
Whilst you're there check the "proxy" tab to ensure that the script itself has permission to call the functions within it
Also worth checking that the products you're trying to use were installed by a user which is still listed in the root acl_user folder - from memory this can cause issues with the login prompt
Best of luck to you - happy (also sad) to hear that there's at least one other Zope user out there!
Summary. I want to create an 'Open URL' Mac OS X keyboard shortcut in a Python program. This keyboard shortcut open's any URL's found in any currently-selected text. Enables the user to not have to laboriously "copy and paste" every selected URL into a different web-browser tab.
I'm guessing this requires "calling" said Mac OS Service, but I'm not sure. How to do this? MacVim and many other programs already do this: http://bit.ly/MacVim-OpenURL-shortcut
Details:
The few Mac OS X Service programming docs I see appear complex, with few in any examples for what I seek, and appear to focus more on creating the service. Hard to tell since it seems to cryptic. I'm hoping that "calling" the service (or whatever) is relatively simple.
My background: I used to be an experienced C/C++/etc and Linux/etc sysadmin in a past life. Now I'm more of a "business" person / MacOS superuser who hacks up Python scripts when other team resources are not available. Therefore, I'm not looking to become an expert in "MacOS system programming." Rather, with this question, I'm focusing on adding the above small feature to an existing, Python-based program.
I understand that letting any anonymous user upload any sort of file in general can be dangerous, especially if it's code. However, I have an idea to let users upload custom AI scripts to my website. I would provide the template so that the user could compete with other AI's in an online web game I wrote in Python. I either need a solution to ensure a user couldn't compromise any other files or inject malicious code via their uploaded script or a solution for client-side execution of the game. Any suggestions? (I'm looking for a solution that will work with my Python scripts)
I am in no way associated with this site and I'm only linking it because it tries to achieve what you are getting after: jailing of python. The site is code pad.
According to the about page it is ran under geordi and traps all sys calls with ptrace. In addition to be chroot'ed they are on a virtual machine with firewalls in place to disallow outbound connections.
Consider it a starting point but I do have to chime in on the whole danger thing. Gotta CYA myself. :)
Using PyPy you can create a python sandbox. The sandbox is a separate and supposedly secure python environment where you can execute their scripts. More info here
http://codespeak.net/pypy/dist/pypy/doc/sandbox.html
"In theory it's impossible to do anything bad or read a random file on the machine from this prompt."
"This is safe to do even if script.py comes from some random untrusted source, e.g. if it is done by an HTTP server."
Along with other safeguards, you can also incorporate human review of the code. Assuming part of the experience is reviewing other members' solutions, and everyone is a python developer, don't allow new code to be activated until a certain number of members vote for it. Your users aren't going to approve malicious code.
Yes.
Allow them to script their client, not your server.
PyPy is probably a decent bet on the server side as suggested, but I'd look into having your python backend provide well defined APIs and data formats and have the users implement the AI and logic in Javascript so it can run in their browser. So the interaction would look like: For each match/turn/etc, pass data to the browser in a well defined format, provide a javascript template that receives the data and can implement logic, and provide web APIs that can be invoked by the client (browser) to take the desired actions. That way you don't have to worry about security or server power.
Have an extensive API for the users and strip all other calls upon upload (such as import statements). Also, strip everything that has anything to do with file i/o.
(You might want to do multiple passes to ensure that you didn't miss anything.)
I'm serving a Django app behind IIS 6. I'm wondering if I can restart IIS 6 within Python/Django and what one of the best ways to do would be.
Help would be great!
Besides what's already suggested, you can also use WMI via either the Win32_Service or the IIsWebService class, which inherits from it. There is a Python WMI wrapper available, which is based on pywin32.
UPDATE: A quick test of the following worked for me.
import wmi
c = wmi.WMI()
for service in c.Win32_Service(Name="W3SVC"):
result, = service.StopService()
I didn't test the next piece of code, but something like this should also work:
for service in c.IIsWebService():
result, = service.StopService()
You can see the documentation for the return values from the StopService and StartService methods.
The following post shows how to control Windows services from Python: http://fuzzytolerance.info/code/using-python-to-manage-windows-services/
You should be able that to restart the IIS web publishing service (known as 'w3svc')
I think that you can execute an iisreset via a commandline. I've never tried that with Django but it should work and be quite simple to implement.
I understand that letting any anonymous user upload any sort of file in general can be dangerous, especially if it's code. However, I have an idea to let users upload custom AI scripts to my website. I would provide the template so that the user could compete with other AI's in an online web game I wrote in Python. I either need a solution to ensure a user couldn't compromise any other files or inject malicious code via their uploaded script or a solution for client-side execution of the game. Any suggestions? (I'm looking for a solution that will work with my Python scripts)
I am in no way associated with this site and I'm only linking it because it tries to achieve what you are getting after: jailing of python. The site is code pad.
According to the about page it is ran under geordi and traps all sys calls with ptrace. In addition to be chroot'ed they are on a virtual machine with firewalls in place to disallow outbound connections.
Consider it a starting point but I do have to chime in on the whole danger thing. Gotta CYA myself. :)
Using PyPy you can create a python sandbox. The sandbox is a separate and supposedly secure python environment where you can execute their scripts. More info here
http://codespeak.net/pypy/dist/pypy/doc/sandbox.html
"In theory it's impossible to do anything bad or read a random file on the machine from this prompt."
"This is safe to do even if script.py comes from some random untrusted source, e.g. if it is done by an HTTP server."
Along with other safeguards, you can also incorporate human review of the code. Assuming part of the experience is reviewing other members' solutions, and everyone is a python developer, don't allow new code to be activated until a certain number of members vote for it. Your users aren't going to approve malicious code.
Yes.
Allow them to script their client, not your server.
PyPy is probably a decent bet on the server side as suggested, but I'd look into having your python backend provide well defined APIs and data formats and have the users implement the AI and logic in Javascript so it can run in their browser. So the interaction would look like: For each match/turn/etc, pass data to the browser in a well defined format, provide a javascript template that receives the data and can implement logic, and provide web APIs that can be invoked by the client (browser) to take the desired actions. That way you don't have to worry about security or server power.
Have an extensive API for the users and strip all other calls upon upload (such as import statements). Also, strip everything that has anything to do with file i/o.
(You might want to do multiple passes to ensure that you didn't miss anything.)