Re: [Fab-user] can't use /bin/bash -l -c or /bin/su -c

fab-user

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Fab-user] can't use /bin/bash -l -c or /bin/su -c

From:	Jeff Forcier
Subject:	Re: [Fab-user] can't use /bin/bash -l -c or /bin/su -c
Date:	Thu, 26 Sep 2013 10:51:20 -0700

Hi Julien,

Unfortunately one can't have both a locked-down sudoers configuration
*and* allow bash as a sudo command - doesn't make sense.

If you own the system and can change the sudoers config, then that
tradeoff is up to you. If policy prevents you from doing so, then
you're mostly stuck using "non-shell" commands, as you mentioned.

-Jeff


On Thu, Sep 26, 2013 at 9:19 AM, julien silverston
<address@hidden> wrote:
> Hello Ronan,
>
> You're right, works fine.
>
> But without bash I'm losing Fabric killer features :
>
> I mean, can't use anymore :
>
> "with cd"
> sudo('command xx | command yy')
> sudo('echo xxx > /etc/X.conf')
> or fabric.contrib llike append despite using shell=False
>
> Do you know any workaround ?
>
> Thnak you
>
> Julien
>
>
> On Thu, Aug 22, 2013 at 11:11 AM, Ronan Amicel <address@hidden>
> wrote:
>>
>> Hi Julien,
>>
>> Have you tried using the "shell" argument to disable shell wrapping? e.g.
>>
>>     sudo('uptime', shell=False)
>>
>> See
>> http://docs.fabfile.org/en/1.7/api/core/operations.html#fabric.operations.run
>>
>> Regards,
>>
>> Ronan Amicel
>>
>>
>> On Thu, Aug 22, 2013 at 12:34 AM, julien silverston
>> <address@hidden> wrote:
>>>
>>> Hello,
>>>
>>> I'm very please with Fabric and I use it with a lot success to manage my
>>> servers.
>>> Even convinced my collegues to use it.
>>> But actually for security reason, mostly to avoid shell escape I can't
>>> use it.
>>>
>>> As exemple I do with sudo :
>>>
>>> @task
>>> def host_type():
>>>     run('sudo su -c "uname -a"')
>>>     sudo('uptime')
>>>
>>>
>>> [serverX] Executing task 'host_type'
>>> [serverX] run: sudo su -c "uname -a"
>>> [serverX] Login password for 'me':
>>> [serverX] out: [sudo] password for me:
>>> [serverX] out: Sorry, user me is not allowed to execute '/bin/su -c uname
>>> -a' as root on serverX.
>>> [serverX] out:
>>>
>>> Warning: run() received nonzero return code 1 while executing 'sudo su -c
>>> "uname -a"'!
>>>
>>> [serverX] sudo: uptime
>>> [serverX] out: sudo password:
>>> [serverX] out: Sorry, user me is not allowed to execute '/bin/bash -l -c
>>> uptime' as root on serverX.
>>> [serverX] out:
>>>
>>>
>>> Warning: sudo() received nonzero return code 1 while executing 'uptime'!
>>>
>>> I know how to setup sudoers, but for company policies I can't change it.
>>>
>>> sudoers contains :
>>> !/bin/bash,!/bin/su
>>>
>>> I tried to use env.shell = "" , pty=False but with no success.
>>>
>>> How I can update Fabric and others framework, like cuisine to continue to
>>> use Fabric despite this rule that I can't change.
>>>
>>> I can change all sudo command for run('sudo xxx') but will ask my
>>> password each time and I can use cuisine anymore.
>>>
>>> Thank you,
>>>
>>> Julien
>>>
>>> _______________________________________________
>>> Fab-user mailing list
>>> address@hidden
>>> https://lists.nongnu.org/mailman/listinfo/fab-user
>>>
>>
>
>
> _______________________________________________
> Fab-user mailing list
> address@hidden
> https://lists.nongnu.org/mailman/listinfo/fab-user
>



-- 
Jeff Forcier
Unix sysadmin; Python/Ruby engineer
http://bitprophet.org

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [Fab-user] can't use /bin/bash -l -c or /bin/su -c, julien silverston, 2013/09/26
- Re: [Fab-user] can't use /bin/bash -l -c or /bin/su -c, Jeff Forcier <=
  - Re: [Fab-user] can't use /bin/bash -l -c or /bin/su -c, julien silverston, 2013/09/26

Prev by Date: Re: [Fab-user] can't use /bin/bash -l -c or /bin/su -c
Next by Date: Re: [Fab-user] append() with multi-line strings
Previous by thread: Re: [Fab-user] can't use /bin/bash -l -c or /bin/su -c
Next by thread: Re: [Fab-user] can't use /bin/bash -l -c or /bin/su -c
Index(es):
- Date
- Thread