在lighttpd上使用sudo运行python cgi脚本

2024-03-28 21:09:37 发布

您现在位置:Python中文网/ 问答频道 /正文

谢谢你的阅读

我将一个adafruit Neopix连接到我的Raspberry Pi Zero(1.generation)上,并让它们使用测试python代码

作为下一步,我想生成一个带有控制Neopix的按钮的网页。 我主要遵循了本教程 https://www.hackster.io/mjrobot/iot-controlling-a-raspberry-pi-robot-over-internet-6988d4#toc-step-5--installing-the-lighttpd-webserver-8

起初,我运行了一个简单的bash cgi脚本,它创建并将当前时间写入一个文件。 切换到PythonCGI脚本相当容易,没有更改任何配置文件,这让我感到疑惑。 但是从html运行测试python代码根本不起作用。 和以前的问题一样,我开始阅读和修补,但似乎我尝试的任何解决方案都不适合我

我无法记述(过去几天在这方面的工作和阅读)我所做的一切,但 我向sudoer组添加了www数据,在/etc/sudoers.d目录中创建了一个名为010_www-data-nopasswd的文件,其中www-data ALL=(ALL) NOPASSWD: ALL作为内容

我将www数据添加到组gpio、i2c和spi中。 我跑 sudo visudo 并补充说 www-data ALL=(ALL:ALL) ALLwww-data ALL = NOPASSWD: /var/www/lighttpd/cgi-bin/neopixelTest.py 但还是不行

我尝试用bash cgi脚本调用带有sudo的测试python脚本,效果很好!所以我认为归结起来就是这个

我已经读到,在配置文件中有一行类似于".py" => "/usr/bin/python"的代码,告诉lighty为以.py结尾的cgi脚本调用/usr/bin/python,所以我想到了将sudo放在这一行中的想法,这样基本上每个python脚本都可以作为sudo运行。真的不是一件好事,但我认为整个项目比作为root运行lighty更快、更脏、更好。但是我找不到这条线

这是我的/etc/lighttpd/lighttpd.conf文件

 1 server.modules = (
 2     "mod_indexfile",
 3     "mod_access",
 4     "mod_alias",
 5     "mod_redirect",
 6 )
 7
 8 server.document-root        = "/var/www/lighttpd"
 9 server.upload-dirs          = ( "/var/cache/lighttpd/uploads" )
10 server.errorlog             = "/var/log/lighttpd/error.log"
11 server.pid-file             = "/var/run/lighttpd.pid"
12 server.username             = "www-data"
13 server.groupname            = "www-data"
14 server.port                 = 80
15
16 # strict parsing and normalization of URL for consistency and security
17 # https://redmine.lighttpd.net/projects/lighttpd/wiki/Server_http-parseoptsDetails
18 # (might need to explicitly set "url-path-2f-decode" = "disable"
19 #  if a specific application is encoding URLs inside url-path)
20 server.http-parseopts = (
21   "header-strict"           => "enable",# default
22   "host-strict"             => "enable",# default
23   "host-normalize"          => "enable",# default
24   "url-normalize-unreserved"=> "enable",# recommended highly
25   "url-normalize-required"  => "enable",# recommended
26   "url-ctrls-reject"        => "enable",# recommended
27   "url-path-2f-decode"      => "enable",# recommended highly (unless breaks app)
28  #"url-path-2f-reject"      => "enable",
29   "url-path-dotseg-remove"  => "enable",# recommended highly (unless breaks app)
30  #"url-path-dotseg-reject"  => "enable",
31  #"url-query-20-plus"       => "enable",# consistency in query string
32 )
33
34 index-file.names            = ( "index.php", "index.html" )
35 url.access-deny             = ( "~", ".inc" )
36 static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )
37
38 compress.cache-dir          = "/var/cache/lighttpd/compress/"
39 compress.filetype           = ( "application/javascript", "text/css", "text/html", "text/plain" )
40
41 # default listening port for IPv6 falls back to the IPv4 port
42 include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port
43 include_shell "/usr/share/lighttpd/create-mime.conf.pl"
44 include "/etc/lighttpd/conf-enabled/*.conf"
45
46 #server.compat-module-load   = "disable"
47 server.modules += (
48     "mod_compress",
49     "mod_dirlisting",
50     "mod_staticfile",
51 )

这是我的/etc/lighttpd/conf-enabled/10-cgi.conf文件


 1 # /usr/share/doc/lighttpd/cgi.txt
 2
 3 server.modules += ( "mod_cgi" )
 4
 5 $HTTP["url"] =~ "^/cgi-bin/" {
 6     cgi.assign = ( "" => "" )
 7     alias.url += ( "/cgi-bin/" => "/var/www/lighttpd/cgi-bin/" )
 8 }
 9
10 ## Warning this represents a security risk, as it allow to execute any file
11 ## with a .pl/.py even outside of /usr/lib/cgi-bin.
12 #
13 #cgi.assign      = (
14 #   ".pl"  => "/usr/bin/perl",
15 #   ".py"  => "/usr/bin/python",
16 #)
17

我知道,有".py" => "/usr/bin/python"行,但它被注释掉了

这是我的/etc/lighttpd/conf-enabled/10-fastcgi.conf文件

 1 # /usr/share/doc/lighttpd/fastcgi.txt.gz
 2 # http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs:ConfigurationOptions#mod_fastcgi-fastcgi
 3
 4 server.modules += ( "mod_fastcgi" )
 5

我觉得这整件事都没有用fastcgi

最后,这是我的html文件

 1 <!DOCTYPE html>
 2 <html>
 3     <head>
 4
 5         <!-- answer to favicon.ico request, see https://stackoverflow.com/a/38917888/15081525  -->
 6         <link rel="icon" href="data:,">
 7
 8         <meta charset="utf-8">
 9         <!-- description for google -->
10         <meta name="description" content="This is a website to control the RPi zero">
11         <title>RPi Zero index</title>
12     </head>
13
14     <style>
15         body {background-color: lightyellow}
16         h1 {color:blue}
17         button {
18             color: black;
19             background: lightgrey;
20             border: 1px solid #000;
21             border-radius: 8px;
22             position: center;
23         }
24     </style>
25
26     <body>
27         <div style="text-align:center">
28             <h1>Hello world!</h1>
29             <br>
30             <p>please press test button</p>
31             <br>
32             <button onclick="alerttest('hello world!')">Alert!</button>
33             </p>
34             <button onclick="alert('wazzup!')">wazzup!</button>
35             </p>
36             <!-- button to call .cgi-script - it works  -->
37             <button style="height: 50px; width: 125px; font-size: 25px" onclick="test_func()">test</button>
38             </p>
39             <!-- button to call .cgi-script which calls python scripts - it works  -->
40             <button style="height: 50px; width: 125px; font-size: 25px" onclick="test_func2()">test2</button>
41             </p>
42             <!-- button to call python script directly - it works  -->
43             <button style="height: 50px; width: 125px; font-size:25px" onclick="test_py()">python</button>
44             </p>
45             <!-- button to call neopixelTest.py  -->
46             <button style="height: 50px; width: 125px; font-size:25px" onclick="test_neopixel()">neopixel</button>
47
48             <!--
49             <img src="/hello.png">
50             -->
51
52         </div>
53
54         <script>
55             var xmlhttp;
56             xmlhttp=new XMLHttpRequest();
57
58             function test_func() {
59                 xmlhttp.open("GET","cgi-bin/test.cgi",true);
60                 // prevent XML syntax error (in Firefox console, does not prevent execution or something, so only cosmetic co$
61                 xmlhttp.overrideMimeType('application/javascript');
62                 xmlhttp.send();
63             }
64
64
65             function alerttest(parameter) {
66                 alert(parameter);
67             }
68
69             function test_func2() {
70                 xmlhttp.open("GET","cgi-bin/python.cgi",true);
71                 // prevent XML syntax error (in Firefox console, does not prevent execution or something, so only cosmetic co$
72                 xmlhttp.overrideMimeType('application/javascript');
73                 xmlhttp.send();
74             }
75
76             function test_py() {
77                 xmlhttp.open("GET","cgi-bin/pythontest.py",true);
78                 // prevent XML syntax error (in Firefox console, does not prevent execution or something, so only cosmetic co$
79                 xmlhttp.overrideMimeType('application/javascript');
80                 xmlhttp.send();
81             }
82
83             function test_neopixel() {
84                 xmlhttp.open("GET","cgi-bin/neopixelTest.py",true);
85                 // prevent XML syntax error (in Firefox console, does not prevent execution or something, so only cosmetic co$
86                 xmlhttp.overrideMimeType('application/javascript');
87                 xmlhttp.send();
88             }
89         </script>
90     </body>
91 </html>
92

neopixelTest.py文件基本上就是这个文件 https://github.com/adafruit/Adafruit_CircuitPython_NeoPixel/blob/master/examples/neopixel_rpi_simpletest.py。我刚刚在代码的顶部添加了 #! /usr/bin/python

我知道,我是一个绝对的初学者,但我仍然会感谢每一个帮助或想法! 提前谢谢


Tags: 文件topytestmodurlbinserver
2条回答

我遇到的第四个选择是简单地向shebang添加sudo,如下所示:

#!/usr/bin/sudo python

这对我有用。我猜执行用户(在我的例子中是www-data)必须有使用sudo的权限,而不需要输入密码

但是,这也是一个安全问题(尽管我不打算向web开放我的RPi),所以我想在学习如何通过FastCGI将lighttpd与python守护进程连接后,我会尝试第三种选择。 谢谢

cgi.assign = ( "" => "" )告诉lighttpd直接执行cgi脚本(因此它们必须标记为可执行(chmod +x)),并且应该具有#!/usr/bin/python3或类似于第一行

对于需要以root用户身份运行的特定CGI脚本,您可以在CGI bin中创建一个名为my-script-name的包装器脚本,其中exec的sudo <renamed-original-script>

另一种选择是将所有特权脚本放入子目录,并创建lighttpd条件

$HTTP["url"] =~ "^/cgi-bin/priv/" {
    cgi.assign = ( "" => "/path/to/my-sudo-wrapper-script" )
}

而且my-sudo-wrapper-script必须将CGI目标$SCRIPT_NAME从环境中获取给exec

第三种选择是将python代码作为守护进程运行,以root用户身份运行,并让lighttpd通过FastCGI连接到它。这将允许您的代码以root身份运行,但lighttpd将继续以www-data身份运行

相关问题 更多 >