Rootwrap - python - write to root only owned file
Hi,
I have a file, owned by root, with read/write permissions for the root user only. (600 permissions).
I have been trying, unsuccessfully, to setup Rootwrap so that python can open this file when running as the nova user.
I followed the setup procedures here: https://wiki.openstack.org/wiki/Rootwrap
I am aware of the olso execute method(run_as_root=True) but am unsure of how to set this up, plus it doesn't seem necessary if I had Rootwrap configured properly.
Any help, or even better, links to examples of writing to a file owned by root (with 600 permissions) in python as the nova user would be great!
Thank you.
What I have done so far:
1) Ensured /etc/nova/rootwrap.conf exist and is owned and writeable only by root
2) Modified nova.conf:
- commented out this line: root_helper=sudo nova-rootwrap /etc/nova/rootwrap.conf
- added this line: rootwrap_config=/etc/nova/rootwrap.conf
3) sudoers:
- added this line (at the bottom below all defaults): nova ALL = (root) NOPASSWD: /usr/bin/nova-rootwrap /etc/nova/rootwrap.conf *
4) added an entry to compute.filters in /etc/nova/rootwrap.d:
- python: CommandFilter, python, root
5) Restarted nova-compute:
- service nova-compute restart
My python code that is failing is like this, which fails on the with open():
try:
with open(interfaceAddModule, 'w') as f:
f.write('%s %s' % (vif['devname'], vif['id']))
except IOError, e:
LOG.info('Unable to open %s, exception: %r', interfaceAddModule, e)
Can you show us what you've tried so far?
So...how are you trying to acquire elevated privileges? I don't see that from the code example.
Well, this probably shows my lack of understanding of how Rootwrap works. I thought the elevated privileges would come via the command filter entry for python, and the fact that python exists in /usr/bin which is part of the exec_dirs entry.
How does one explicitly gain elevated privileges?