How to place restrictions on Bash and Python components
This guide explains how users can execute commands as a separate, locked-down user when running scripts outside a sandbox environment.
Matillion ETL provides a Bash Script component and a Python Script component for users to run custom scripts. Since these scripts are executed on the server directly, a user with access to a project could execute commands with the same privileges as the web server, i.e. Tomcat. This is potentially dangerous, and so the below work-around is provided.
Placing restrictions on Bash and Python components
To place restrictions on script execution requires the script to be run by an OS user called restricteduser
.
Create the following three shell scripts:
-
bash.sh:
#!/bin/bash chmod +w /tmp/interpreter* sudo -u restricteduser bash "$@"
-
python2.sh:
#!/bin/bash chmod +w /tmp/interpreter* sudo -u restricteduser python "$@"
-
python3.sh:
#!/bin/bash chmod +w /tmp/interpreter* sudo -u restricteduser python3 "$@"
Place these files into a directory on the server, and set this directory as the executable path against the Python interpreters you have defined in Manage interpreters.
Note
Manage interpreters is only available in Matillion ETL version 1.68.3 and above.
To allow Tomcat to run Python as another user, create/edit /etc/sudoers.d/matillion-sudo
and add the list of commands that Tomcat is allowed to run as another user—this is not a one-time action, and permissions can be added or removed as required later on. For example:
tomcat ALL=(restricteduser) NOPASSWD: /usr/bin/python, /usr/bin/python3, /usr/bin/bash
Java reads and writes temporary files to pass context into Python and then receive it back. Therefore, the Tomcat /tmp directory needs to be read from and written to by CentOS and Tomcat users interchangeably. File permissions need to allow the directory to be written to—but only the /tmp directory. Like so:
sudo chmod 777 /usr/share/tomcat/temp
Amend the Emerald.properties
file to contain the following:
-
For Matillion ETL version 1.68.3 and above:
BASH_COMMAND=/<script_path>/bash.sh
-
For Matillion ETL versions prior to 1.68.3:
ENABLE_JYTHON=false PYTHON_2_COMMAND=/<script_path>/python2.sh PYTHON_3_COMMAND=/<script_path>/python3.sh BASH_COMMAND=/opt/<script_path>/bash.sh
Where <script_path>
is the path to the directory you placed the script files in.
From this point, all Bash or Python scripts in this instance would be executed as the restricteduser
user, not Tomcat.