Ubuntu execute python script at logon as root after user logon

mythtvpythonsudoUbuntu

I've installed MythBuntu on a computer.
MythTV doesn't support the Asus AI remote IR receiver so i searched for possible solutions.
One of them was a Python script that acts as a bridge between a terminal window and and the focused application.

It needs to be executed by a regular user bjorn with root privileges (sudo) between the user logging on and MythTV getting loaded without asking for a password. So far i've tried putting python Linux_Asus_AI_remote.py, sudo Linux_Asus_AI_remote.py, sudo python Linux_Asus_AI_remote.py in /etc/rc.local

Questions:

It should be executed after the user logs on, MythTV is launched automatically and receives focus hereby receiving the keystrokes generated from Linux_Asus_AI_remote.py

is rc.local executed before or after a user logging on to the system?
How should i safely execute the script with root privileges without asking the user for a password? (Keep in mind that the application must keep running in the background and the user -when needing additional privileges- still needs to be asked for a password.)

Script test:

After a user logs on, i started a terminal window and entered sudo python Linux_Asus_AI_remote.py. Everything runs fine once i have entered the right password and gave focus to MythTV.

It shouldn't terminate the script after 15 minutes and the user should still need to enter a password in order to get additional permissions.

Thanks in advance.

Best Answer

rc.local is run at system boot, so well before a user logs on.

You have two options for running the script. One is to use visudo(8) to set up the command to allow to be run, with a NOPASSWD: tag in the command entry, and then just use sudo to start the command, perhaps from /etc/profile and whatever other files are needed for whichever shells people might use. It might be as simple as dropping something in /etc/profile.d/ if that exists. Eg, if everyone who logs in will be in group video then when you run visudo you'd want a rule like:

%video  ALL=NOPASSWD: /path/to/Linux_Asus_AI_remote.py

and then you'd invoke with:

sudo /path/to/Linux_Asus_AI_remote.py

The other option is to use pam_exec to run a command after login while still root; it's cleaner but more dangerous because if you make mistakes you can hose your system and be unable to login. If you want to examine this, read up on the PAM modules and how authentication and authorisation work and look in /etc/pam.d/; also, think carefully about how you'll restrict this to only happen for appropriate users.

Whichever method you choose, you'll probably want to make sure that this does not happen if logging in as root, to reduce the gunk that's involved in letting the admin user get into the system.

Related Solutions

Python – Secure method of changing a user’s password via Python script/non-interactively

You pass the password in the command line you are executing. Those may probably be visible not only in your terminal, but also by other users issuing 'ps' command (that may depend on the system configuration). And the password is plain text.

I don't know Fabric, but if it gives you a possibility to communicate with executed commands via their stdin/stdout (like subprocess.Popen()), then it would be probably a better choice to use that instead of 'echo username:password|...'.

Also, you may chose to create the password hash in your Python script (using the crypt module and "$1$XXXXXXXX$" ("X" are random characters) salt) and pass that to chpasswd -e. The plain text password will never be displayed or logged then.

You generate the password hash with the crypt module like so:

import crypt
p='secretpassword'
print(crypt.crypt(p))

And you can pass the output to chpasswd -e like this:

`echo 'someusername:passwordhash' | chpasswd -e`

Ubuntu – How to run a script in Ubuntu via SSH as superuser

You can ssh in using key-based only authentication, and then edit the sudoers file not to require a password. This will eliminate the password at the two steps you described.

To see up ssh key based ssh access:

ssh-keygen
ssh-copy-id dest-server

And the for the sudoers file:

sudo visudo -f /etc/sudoers
#uncomment the following and then add yourself to the sudo group
# %sudo ALL=NOPASSWD: ALL

Better would be to require no password for sudo only for the commands you need to automate this particular function. See my answer here for that.

References:
Setting up a user without a password

How do you setup ssh to authenticate using keys instead of a username / password?

Best Answer

Related Solutions

Python – Secure method of changing a user’s password via Python script/non-interactively

Ubuntu – How to run a script in Ubuntu via SSH as superuser

Related Topic