6 Things You Need to Know To Run Commands From Python
Despite the many libraries on PyPI, sometimes you need to run an external command from your Python code. The built-in Python subprocess module makes this relatively easy.
In this article you will:
- Learn the basics about processes and sub-processes
- Use the Python subprocess module to safely execute external commands
- Capture the command’s output
- Feed a command with input from standard in
- Look into running shell commands
- Learn about critical security considerations when running external commands
1. Processes and subprocesses
A program that is executed on a computer is also called a process. But what is a process, exactly? Let’s define it more formally:
Process: the instance of a computer program that is being executed by one or more threads.
A process can have multiple threads, this is called multi-threading. In turn, a computer can run multiple processes at once. These processes can be different programs, but they can also be multiple instances of the same program. In our article on concurrency with Python, this is explained in great detail. The following images come from that article, too:
If you want to run an external command, it means you need to create a new process from your Python process. Such a process is often called a child process or a sub-process. Visually, this is what happens when one process spawns two sub-processes:
What happens internally (inside the OS kernel) is what’s called a fork. The process forks itself, meaning a new copy of the process is created and started. This can be useful if you want to parallelize your code and utilize multiple CPUs on your machine. That’s what we call multiprocessing.
We can utilize this same technique to start another process, though. First, the process forks itself, creating a copy. That copy, in turn, replaces itself with another process: the process you were looking to execute.
We can go the low-level way and do much of this ourselves using the Python subprocess module, but luckily, Python also offers a wrapper that will take care of all the nitty-gritty details, and do so safely too. Thanks to the wrapper, running an external command comes down to calling a function. This wrapper is the function
run() from the
subprocess library and that's what we'll use in this article.
I thought it would be nice for you to know what’s going on internally, but if you feel confused, rest assured that you don’t need this knowledge to do what you want: running an external command with the Python subprocess module.
2. Create a Python subprocess with subprocess.run
Enough with the theory, it’s time to get our hands dirty and write some code to execute external commands.
First of all, you need to import the subprocess library. Since it is part of Python 3, you don’t need to install it separately. From this library, we’ll work with the run command. This command was added in Python 3.5. Make sure you have at least that Python version, but preferably you should be running the latest version. Check our detailed Python installation instructions if you need help with that.
Let’s start with a simple call to ls, to list the current directories and files:
In fact, we can call Python, the binary, from our Python code. Let’s request the version of the default python3 installation on our system:
A line-by-line explanation:
- We import the subprocess library
- Run a subprocess, in this case the python3 binary, with one argument:
- We see the output from the Python command
- Inspect the result variable, which is of the type
The process returned code 0, meaning it executed successfully. Any other return code would mean there was some kind of error. It depends on the process you called what the different return code means.
As you can see in the output, the Python binary printed its version number on standard out, which is usually your terminal. Your result may vary because your Python version will likely be different. Perhaps, you’ll even get an error looking like this:
FileNotFoundError: [Errno 2] No such file or directory: 'python3'. In this case, make sure the Python binary is called python3 on your system too, and that it's in the PATH.
3. Capture output of a Python subprocess
If you run an external command, you’ll likely want to capture the output of that command. We can achieve this with the
As you can see, Python didn’t print its version to our terminal this time. The
subprocess.run command redirected the standard out and standard error streams so it could capture them and store the result for us. After inspecting the result variable, we see that the Python version was captured from standard out. Since there were no errors,
stderr is empty.
I also added the option
encoding='UTF-8'. If you don’t,
subprocess.run assumes the output is a stream of bytes since it doesn't have this information. Try it, if you want.
As a result,
stderrwill be byte arrays. Hence, if you know the output will be ASCII text or UTF-8 text, you're better off specifying it so the run function encodes the captured output accordingly as well.
Alternatively, you can also use the option text=True without specifying the encoding. Python will capture the output as text. I’d recommend specifying the encoding explicitly if you know it. The official documentation doesn’t state if and how Python detects the output’s encoding.
4. Feeding data from standard input
If the external command expects data on standard input, we can do so easily as well with the
input option of Python's
subprocess.run function. Please note that I'm not going into streaming data here. We'll build on the previous examples here:
We just used Python to execute some Python code with the python3 binary. Completely useless, but (hopefully) very instructive!
The code variable is a multi-line Python string and we assign it as input to the
subprocess.run command using the
5. Running shell commands
If you are looking to execute shell commands on Unix-like systems, by which I mean anything you would normally type into a Bash-like shell, you need to realize that these are often not external binaries that are executed. For example, expressions like
while loops, or pipes and other operators, are interpreted by the shell itself.
Python often has alternatives in the form of built-in libraries, which you should prefer. But if you need to execute a shell command, for whatever reason,
subprocess.run will happily do so when you use the
shell=True option. It allows you to enter commands just as if you were entering them in a Bash compatible shell:
But a warning is in place: using this method is prone to command injection attacks! Keep reading to learn more about this security issue.
6. Caveats to look out for
Running external commands is not without risks. Please read this section very carefully.
os.system vs subprocess.run
You might see code examples where
os.system() is used to execute a command. The
subprocess module is more powerful, though, and the official Python docs recommend using it over
os.system(). Another issue with
os.system is that it is more prone to command injection.
A common attack, or exploit, is to inject extra commands to gain control over a computer system. For example, if you ask your user for input and use that input in a call to
os.system() or a call to
subprocess.run(...., shell=True), you're at risk of a command injection attack.
To demonstrate, the following code allows us to run any shell command:
Because we directly used the user input, the user can run any command simply by appending it with a semicolon. E.g., the following input will list the / directory and echo a text. Try it for yourself:
/; echo "command injection worked!";
The solution is not to try and clean the user input. You might be tempted to start looking for semicolons and rejecting the input of you find one. Don’t; hackers can think of at least 5 other ways to append a command in this situation. It’s an uphill battle.
The better solution is to not use
shell=True, and feed the command in a list as we did in the earlier examples. Input like this will fail in such cases because the subprocess module will make sure the input is an argument to the program you’re executing, instead of a new command.
With the same input, but with
shell=False, you will get this:
The command is treated as an argument to
ls, which in turn tells us that It can’t find that file or directory.
User input is always dangerous
In fact, using user input is always dangerous, not just because of command injection. For example, suppose you allow a user to input a file name. After this, we read the file and show it to the user. Although this might seem harmless, a user could enter something like this:
settings.yaml might contain your database password… oops!
Originally published at https://python.land