Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Python > IOError - cannot create file (linux daemon-invoked script)

Reply
Thread Tools

IOError - cannot create file (linux daemon-invoked script)

 
 
cassiope
Guest
Posts: n/a
 
      01-02-2010
I have a daemon on a Linux system that supports a number of Windows
clients. Among the functions is to send e-mails, which is
sufficiently complicated that I fork() a separate process which gets
setuid to a lesser user, and calls a python script which does the
actual formatting and emailing (the daemon is written in C). I want
to save a copy of the email in a particular directory which is
accessible to the Windows clients via samba.

The strange thing is that even with the right user-id, I cannot seem
to write to the directory, getting an IOError exception. Changing the
directory to world-writable fixes this. I can confirm the uid and gid
for the script by having the script print these values just before
trying to create/write the file. Becoming the same lesser user, I
have no problem writing a file to the same directory.

Is there anything that I can do to diagnose why this script is
failing? For various reasons I don't want to make the directory world-
writable.

This is on a Debian "squeeze" system, with python 2.5.

Thanks for any insights!
 
Reply With Quote
 
 
 
 
Steve Holden
Guest
Posts: n/a
 
      01-02-2010
cassiope wrote:
> I have a daemon on a Linux system that supports a number of Windows
> clients. Among the functions is to send e-mails, which is
> sufficiently complicated that I fork() a separate process which gets
> setuid to a lesser user, and calls a python script which does the
> actual formatting and emailing (the daemon is written in C). I want
> to save a copy of the email in a particular directory which is
> accessible to the Windows clients via samba.
>
> The strange thing is that even with the right user-id, I cannot seem
> to write to the directory, getting an IOError exception. Changing the
> directory to world-writable fixes this. I can confirm the uid and gid
> for the script by having the script print these values just before
> trying to create/write the file. Becoming the same lesser user, I
> have no problem writing a file to the same directory.
>

Have you looked at the IOError's errno attribute to find out exactly why
the Python subprocess is unable to write to the directory?

> Is there anything that I can do to diagnose why this script is
> failing? For various reasons I don't want to make the directory world-
> writable.
>

I'd concur on that decision.

> This is on a Debian "squeeze" system, with python 2.5.
>
> Thanks for any insights!


Take a closer look at the exception, that might stimulate a thought or two.

regards
Steve
--
Steve Holden +1 571 484 6266 +1 800 494 3119
PyCon is coming! Atlanta, Feb 2010 http://us.pycon.org/
Holden Web LLC http://www.holdenweb.com/
UPCOMING EVENTS: http://holdenweb.eventbrite.com/

 
Reply With Quote
 
 
 
 
Cameron Simpson
Guest
Posts: n/a
 
      01-03-2010
On 02Jan2010 15:21, cassiope <(E-Mail Removed)> wrote:
| [...] I want
| to save a copy of the email in a particular directory which is
| accessible to the Windows clients via samba.
|
| The strange thing is that even with the right user-id, I cannot seem
| to write to the directory, getting an IOError exception. Changing the
| directory to world-writable fixes this. I can confirm the uid and gid
| for the script by having the script print these values just before
| trying to create/write the file. Becoming the same lesser user, I
| have no problem writing a file to the same directory.

Can you show us:
- the directory user and group ownership and permissions
- the daemon's user and group values?

You can also strace your daemon:

strace -f -e trace=file your-daemon your-daemon-args... 2>strace.out

and then examine the log for the precise UNIX-level failure.

Cheers,
--
Cameron Simpson <(E-Mail Removed)> DoD#743
http://www.cskk.ezoshosting.com/cs/

Money won't buy happiness, but it will pay the salary of a large research
staff to study the problem. - Bill Vaughan
 
Reply With Quote
 
cassiope
Guest
Posts: n/a
 
      01-03-2010
On Jan 2, 3:46*pm, Steve Holden <(E-Mail Removed)> wrote:
> cassiope wrote:
> > I have a daemon on a Linux system that supports a number of Windows
> > clients. *Among the functions is to send e-mails, which is
> > sufficiently complicated that I fork() a separate process which gets
> > setuid to a lesser user, and calls a python script which does the
> > actual formatting and emailing (the daemon is written in C). *I want
> > to save a copy of the email in a particular directory which is
> > accessible to the Windows clients via samba.

>
> > The strange thing is that even with the right user-id, I cannot seem
> > to write to the directory, getting an IOError exception. *Changing the
> > directory to world-writable fixes this. *I can confirm the uid and gid
> > for the script by having the script print these values just before
> > trying to create/write the file. *Becoming the same lesser user, I
> > have no problem writing a file to the same directory.

>
> Have you looked at the IOError's errno attribute to find out exactly why
> the Python subprocess is unable to write to the directory?


It's errno=13 ... "permission denied".

> > Is there anything that I can do to diagnose why this script is
> > failing? *For various reasons I don't want to make the directory world-
> > writable.

>
> I'd concur on that decision.
>
> > This is on a Debian "squeeze" system, with python 2.5.

>
> > Thanks for any insights!

>
> Take a closer look at the exception, that might stimulate a thought or two.
>
> regards
> *Steve
> --
> Steve Holden * * * * * +1 571 484 6266 * +1 800 494 3119
> PyCon is coming! Atlanta, Feb 2010 *http://us.pycon.org/
> Holden Web LLC * * * * * * * *http://www.holdenweb.com/
> UPCOMING EVENTS: * * * *http://holdenweb.eventbrite.com/


 
Reply With Quote
 
cassiope
Guest
Posts: n/a
 
      01-03-2010
On Jan 2, 6:40*pm, Christian Heimes <(E-Mail Removed)> wrote:
> cassiope wrote:
> > The strange thing is that even with the right user-id, I cannot seem
> > to write to the directory, getting an IOError exception. *Changing the
> > directory to world-writable fixes this. *I can confirm the uid and gid
> > for the script by having the script print these values just before
> > trying to create/write the file. *Becoming the same lesser user, I
> > have no problem writing a file to the same directory.

>
> Are you able to write to the directory with the user id when you tried
> to create a file manually?


Yes. Sorry that wasn't clear.

> How are you changing the uid and gid of your script? IIRC you have to
> set the effective user id with os.seteuid() and os.setegid().


I'm changing the uid and gid in the daemon (which runs with root
permissions
until the fork and uid/gid change). The uid and gid are confirmed by
printing os.getuid() and os.getgid() in the script.

> Christian


 
Reply With Quote
 
Steve Holden
Guest
Posts: n/a
 
      01-03-2010
cassiope wrote:
> On Jan 2, 6:40 pm, Christian Heimes <(E-Mail Removed)> wrote:
>> cassiope wrote:
>>> The strange thing is that even with the right user-id, I cannot seem
>>> to write to the directory, getting an IOError exception. Changing the
>>> directory to world-writable fixes this. I can confirm the uid and gid
>>> for the script by having the script print these values just before
>>> trying to create/write the file. Becoming the same lesser user, I
>>> have no problem writing a file to the same directory.

>> Are you able to write to the directory with the user id when you tried
>> to create a file manually?

>
> Yes. Sorry that wasn't clear.
>
>> How are you changing the uid and gid of your script? IIRC you have to
>> set the effective user id with os.seteuid() and os.setegid().

>
> I'm changing the uid and gid in the daemon (which runs with root
> permissions
> until the fork and uid/gid change). The uid and gid are confirmed by
> printing os.getuid() and os.getgid() in the script.
>

And what do os.geteuid() and os.getegid() report? I suppose it's
possible there's some bizarre difference between the effective and
actual process parameters. IS the filestore a local file system, or an
NFS mount?

regards
Steve
--
Steve Holden +1 571 484 6266 +1 800 494 3119
PyCon is coming! Atlanta, Feb 2010 http://us.pycon.org/
Holden Web LLC http://www.holdenweb.com/
UPCOMING EVENTS: http://holdenweb.eventbrite.com/

 
Reply With Quote
 
cassiope
Guest
Posts: n/a
 
      01-03-2010
On Jan 2, 8:02*pm, Cameron Simpson <(E-Mail Removed)> wrote:
> On 02Jan2010 15:21, cassiope <(E-Mail Removed)> wrote:
> | [...] *I want
> | to save a copy of the email in a particular directory which is
> | accessible to the Windows clients via samba.
> |
> | The strange thing is that even with the right user-id, I cannot seem
> | to write to the directory, getting an IOError exception. *Changing the
> | directory to world-writable fixes this. *I can confirm the uid and gid
> | for the script by having the script print these values just before
> | trying to create/write the file. *Becoming the same lesser user, I
> | have no problem writing a file to the same directory.
>
> Can you show us:
> * - the directory user and group ownership and permissions
> * - the daemon's user and group values?


Directory permissions: 774
Directory ownership: "lesser user", "special group" where /etc/group
has
"special group" members including the "lesser user", as well as
those
who are expected to use the daemon, but not root.
Script ownership: "lesser user"; permissions 755
Daemon ownership: root; permissions: 755 (always started by root).

The script also has to connect to a postgresql database for part of
its
work - that part works,
> You can also strace your daemon:
>
> * strace -f -e trace=file your-daemon your-daemon-args... 2>strace.out
>
> and then examine the log for the precise UNIX-level failure.
>
> Cheers,
> --
> Cameron Simpson <(E-Mail Removed)> DoD#743http://www.cskk.ezoshosting.com/cs/
>
> Money won't buy happiness, but it will pay the salary of a large research
> staff to study the problem. - Bill Vaughan


Thanks, Cameron (and Steve and Christian). My first shot with strace
(it's
been awhile since I've used that - I think your syntax may be a tiny
bit off
- but it's probably the tool I need to use. Will explore further...


 
Reply With Quote
 
Cameron Simpson
Guest
Posts: n/a
 
      01-03-2010
On 03Jan2010 14:20, cassiope <(E-Mail Removed)> wrote:
| On Jan 2, 8:02*pm, Cameron Simpson <(E-Mail Removed)> wrote:
| > Can you show us:
| > * - the directory user and group ownership and permissions
| > * - the daemon's user and group values?
|
| Directory permissions: 774

That's unusual - why the "4"? Directories with read but no search (1)
are of limited use. (Not none - it's only unusual, not insane).

| Directory ownership: "lesser user", "special group" where /etc/group
| has "special group" members including the "lesser user", as well as
| those who are expected to use the daemon, but not root.
| Script ownership: "lesser user"; permissions 755
| Daemon ownership: root; permissions: 755 (always started by root).

And the script/daemon _runs_ as the "lesser user"?

If so, superficially the permissions look like they should work.
--
Cameron Simpson <(E-Mail Removed)> DoD#743
http://www.cskk.ezoshosting.com/cs/

I couldn't think of anything else to do with it, so I put it on the web.
 
Reply With Quote
 
cassiope
Guest
Posts: n/a
 
      01-03-2010
On Jan 3, 3:00*pm, Cameron Simpson <(E-Mail Removed)> wrote:
> On 03Jan2010 14:20, cassiope <(E-Mail Removed)> wrote:
> | On Jan 2, 8:02*pm, Cameron Simpson <(E-Mail Removed)> wrote:
> | > Can you show us:
> | > * - the directory user and group ownership and permissions
> | > * - the daemon's user and group values?
> |
> | Directory permissions: 774
>
> That's unusual - why the "4"? Directories with read but no search (1)
> are of limited use. (Not none - it's only unusual, not insane).
>
> | Directory ownership: "lesser user", "special group" where /etc/group
> | has "special group" members including the "lesser user", as well as
> | those who are expected to use the daemon, but not root.
> | Script ownership: "lesser user"; permissions 755
> | Daemon ownership: root; permissions: 755 (always started by root).
>
> And the script/daemon _runs_ as the "lesser user"?
>
> If so, superficially the permissions look like they should work.
> --
> Cameron Simpson <(E-Mail Removed)> DoD#743http://www.cskk.ezoshosting.com/cs/
>
> I couldn't think of anything else to do with it, so I put it on the web.


Strace confirms the uid and gid == "lesser user". Changing the
directory
permissions to 775 changes nothing. Clearly get EACCES error on the
attempted
file creation.

The only other thing is that as part of the python interpreter call, I
provide
a "reduced environment", just UID,GID,TMP,PWD,USER, and HOME. Is
anything
else needed?

Thanks again, Cameron!
 
Reply With Quote
 
Cameron Simpson
Guest
Posts: n/a
 
      01-04-2010
On 03Jan2010 15:56, cassiope <(E-Mail Removed)> wrote:
| Strace confirms the uid and gid == "lesser user". Changing the
| directory
| permissions to 775 changes nothing. Clearly get EACCES error on the
| attempted
| file creation.
|
| The only other thing is that as part of the python interpreter call, I
| provide
| a "reduced environment", just UID,GID,TMP,PWD,USER, and HOME. Is
| anything
| else needed?

Should be irrelevant.

Ok: does the file to be created already exist? If so, what are its
permissions? If the file exists and isn't writable you may get this
error.

Also, did you eyeball the actual open() call to ensure the file pathname
is correct, and doesn't use a bogus (non-existent) directory name?
--
Cameron Simpson <(E-Mail Removed)> DoD#743
http://www.cskk.ezoshosting.com/cs/

"GOD IS MY SOURCE" - Bumper sticker, Chapel Hill, NC
I'll have to remember that one for the next code review meeting.
- http://www.velocityreviews.com/forums/(E-Mail Removed) (Alain van der Heide)
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Python Image Library IOError - cannot find JPEG decoder? Dario Traverso Python 4 02-26-2009 01:44 AM
URL as input -> "IOError: [Errno 2] The system cannot find the path specified" Gilles Ganault Python 2 10-24-2008 06:34 PM
PIL problem: IOError: cannot identify image file h112211@gmail.com Python 2 08-20-2006 01:38 PM
file.readlines() and IOError exceptions Astan Chee Python 0 07-12-2006 12:04 AM
readlines() with large file raises: IOError: [Errno 12] Cannotallocate memory nicogrubert@arcor.de Python 0 11-22-2004 09:06 AM



Advertisments