[SOLVED] allow users to execute a Python File but not read

JJJCR · 10-16-2023, 09:41 PM

Hi guys,

Is it possible to allow users to run/execute a python file but don't allow them to read its content?

I tried --x permission, Python file will not run.

r-x, Python file will run but of course they can view and see the contents of the file.

I search the web, one way is to create a user with sudo account , no passwd and no shell login.

change the permission of the Python file to 700 and assign it to the sudo account as per above.

Then create a file in /etc/sudoers.d/ to allow a sudo user to run the Python file.

It works, user is not able to view the contents of the file and able to execute it.

However, the file has to be used by all users on the system.

It will be a security risk by allowing all users as sudoer to run the file.

Any other methods to do this? allow user to run/execute the Python file but don't allow them to view the contents of the file. Thanks.

jmgibson1981 · 10-16-2023, 10:29 PM

Is there a way to change the sensitive contents to a compiled language then just call that from your python file? Then the stuff they don't need to see or know is hidden in the object file of whatever you call.

Turbocapitalist · 10-17-2023, 01:03 AM

Quote:

Originally Posted by JJJCR

It will be a security risk by allowing all users as sudoer to run the file.

I'd second the recommendation to look into compiling it, but will digress about the misinterpretation of /etc/sudoers above:

sudo does not have to run as root, it does not have to allow all programs to run either.

First, created an empty group and then set the permissions for your script:

Code:

addgrp piy
chown root:piy /usr/local/bin/script.py
chmod u=rwx,g=rx,o= /usr/local/bin/script.py

Next, configure /etc/sudoers:

Code:

%change ALL=(:piy) /usr/local/bin/script.py ""

That allows the empty group 'piy' to run the script but since no accounts are in it, only those in the group 'change' can run the script via sudo with the -g option. The "" means that the script must be run without any options. Then add people to the group 'change' who you want to run the script.

Code:

sudo -g piy /usr/local/bin/script.py

That can be wrapped in a script, an shell alias, or a shell function for a shortcut.

pan64 · 10-17-2023, 01:24 AM

Quote:

Originally Posted by JJJCR

It will be a security risk by allowing all users as sudoer to run the file.

No, why? If you allow anyone to run only that single command. Otherwise you can write a shell script, which will execute the python script (with config and whatever required) and you need to allow to execute only that shell script.

Quote:

Originally Posted by JJJCR

Any other methods to do this? allow user to run/execute the Python file but don't allow them to view the contents of the file. Thanks.

The files which are used by script languages should be readable, because the interpreter is the real executable and it needs to read the script itself (using the credentials of the current user). You might try a setuid executable, but it is definitely not secure, not better than the sudoer setup.

JJJCR · 10-17-2023, 03:07 AM

Thank you guys for all the great ideas..

teckk · 10-17-2023, 12:01 PM

https://marcelotduarte.github.io/cx_Freeze/
https://pyinstaller.org/en/stable/
https://pypi.org/project/auto-py-to-exe/
https://pypi.org/project/py2exe/
https://github.com/Nuitka/Nuitka
https://pypi.org/project/briefcase/

dugan · 10-19-2023, 06:42 PM

What's the threat model here? Did you hardcode passwords into the Python script or something?

And anyway, no you can't do what you're asking. Some options (other than the ones suggested) include:

Putting the script in a Docker:

https://www.docker.com/blog/how-to-d...-applications/

Putting the script in an AppImage:

https://github.com/AppImage/AppImage...-not-for-users

Neither will prevent users from reading the script, but they do add a layer of discouragement.

JJJCR · 10-19-2023, 08:42 PM

@Dugan, yes indeed containerization will definitely help, good idea!