Skip to content

How to place restrictions on Bash and Python components


This guide explains how users can execute commands as a separate, locked-down user when running scripts outside a sandbox environment.

Matillion ETL provides a Bash Script component and a Python Script component for users to run custom scripts. Since these scripts are executed on the server directly, a user with access to a project could execute commands with the same privileges as the web server, i.e. Tomcat. This is potentially dangerous, and so the below work-around is provided.

Placing restrictions on Bash and Python components

  1. For this example, we have an OS user called "lockdown".
  2. We create the following three shell scripts, where "lockdown" is the user and should be replaced accordingly:

sudo -u lockdown bash "$@"

sudo -u lockdown python "$@"

sudo -u lockdown python3 "$@"
To allow Tomcat to run Python as another user, create/edit /etc/sudoers.d/matillion-sudo and add the list of commands that Tomcat is allowed to run as another user—this is not a one-time action, and permissions can be added or removed as required later on. For example:

tomcat ALL=(lockdown) NOPASSWD: /usr/bin/python, /usr/bin/python3, /usr/bin/bash
  1. We then place these files into a directory on the server, for example /opt/lockdownscripts. We must ensure that these scripts are executable by the Tomcat user, and ensure that the Tomcat user has permissions to run anything as the example "lockdown" user in the directory /etc/sudoers.
  2. Java reads and writes temporary files to pass context into Python and then receive it back. Therefore, the Tomcat /tmp directory needs to be read from and written to by CentOS and Tomcat users interchangeably. File permissions need to allow the directory to be written to—but only the /tmp directory. Like so:
sudo chmod 777 /usr/share/tomcat/temp

Additionally, the files created by Tomcat need to have their permissions set. In /usr/share/tomcat/bin/ change the default UMASK to 0000.

  1. We must amend the file like so:

From this point, all Bash or Python scripts in this instance would be executed as the "lockdown" user, not Tomcat.