execute remote commands with sudo #54

New Issue

Open

opened 2021-11-20 11:25:15 +00:00 by ungleich-gitea · 6 comments

ungleich-gitea commented 2021-11-20 11:25:15 +00:00

Owner

Copy Link

more and more I'm in situation where I don't get root with VM or it's even forbidden to do sudo -i. there are many reasons for that. from overzealous security policy writes who see root as root of all evil to monitoring and auditability of operator actions. YMMV of course, but we can't ignore the fact that this is happening and it's a new norm just like Gospel of systemd brought to you by Church of Lennart.

fun fact is that sudo is often allowed without password in situations where all non-system users present in system are admins anyway. shared systems with some users in sudoers group is different issue and isn't in scope imho.

what must be done:

1. all necessary files must be copied to executing user's context in target host (~/.cdist/exec?). imho that should be default even if we use root.
2. directories and files in executing user context must be create without sudo
3. remote code must be executed with sudo

discuss.

more and more I'm in situation where I don't get root with VM or it's even forbidden to do ``sudo -i``. there are many reasons for that. from overzealous security policy writes who see root as root of all evil to monitoring and auditability of operator actions. YMMV of course, but we can't ignore the fact that this is happening and it's a new norm just like Gospel of systemd brought to you by Church of Lennart. fun fact is that ``sudo`` is often allowed without password in situations where all non-system users present in system are admins anyway. shared systems with some users in sudoers group is different issue and isn't in scope imho. what must be done: 1. all necessary files must be copied to executing user's context in target host (`~/.cdist/exec`?). imho that should be default even if we use root. 2. directories and files in executing user context must be create without sudo 3. remote code must be executed with sudo discuss.

ungleich-gitea commented 2021-11-20 15:31:50 +00:00

Author

Owner

Copy Link

yeah, something like $TMP/cdist-$USER with mode 0700 would be nice too.

yeah, something like `$TMP/cdist-$USER` with mode `0700` would be nice too.

ungleich-gitea commented 2021-11-20 15:31:51 +00:00

Author

Owner

Copy Link

Not sure whether I like ~/.cdist/exec.
I'd propose to use /tmp for temporary files. It is also always writable by users.
If permissions are a concern the cdist temp directory could be owned by the executing user and have mode 0700.

Not sure whether I like `~/.cdist/exec`. I'd propose to use `/tmp` for temporary files. It is also always writable by users. If permissions are a concern the cdist temp directory could be owned by the executing user and have mode `0700`.

ungleich-gitea commented 2021-11-20 15:31:52 +00:00

Author

Owner

Copy Link

It isn't.

For example, how would you write --remote-copy with sudo? :)

It isn't. For example, how would you write `--remote-copy` with sudo? :)

ungleich-gitea commented 2021-11-20 15:31:54 +00:00

Author

Owner

Copy Link

@ander You can use --remote-exec/--remote-copy custom settings to do it with sudo/non-root user. Or this isn't enough?

@ander You can use --remote-exec/--remote-copy custom settings to do it with sudo/non-root user. Or this isn't enough?

ungleich-gitea commented 2021-11-20 15:31:55 +00:00

Author

Owner

Copy Link

changed the description

changed the description

ungleich-gitea commented 2021-11-20 15:31:57 +00:00

Author

Owner

Copy Link

changed the description

changed the description

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

7.0

6.9

py3.10

ander/__package_apt_update_index

haproxy-dualstack

ander/__sed

beta

ander/os_version_debian_sid

evilham-compatibility-fixes

ander/__rsync

__snakeoil_cert

ander/update_readme

__download_improvements

feature/onchange

cleanup/string-formatting

feature/type-relationship-graph

cleanup/ssh-auth-keys-types

__letsencrypt_cert-fix-hooks

bugfix/preos-debug

bugfix/in-script-import

6.8

bugfix/sphinx-docs-build

6.7

cherry-pick-2f433a14

bugfix/make-code-consistent

6.6

regain-py3.2-support

6.5

bugfix/multiple-log-lines

matterbridge

coturn

alpinefix

matrix

new-type/network-interface

feature/process

6.4

feature/info-command

feature/libexec

6.3

preos-plugins-dir-opt

gitlab-ci

6.2

order-dep-fix

6.1

6.0

build/support-pip-from-git

feature/shell-lib

5.1

feature/support-type-deprecation

5.0

feature/python-types

4.11

4.10

shellcheck

4.9

4.8

freebsd-improvements

new-prometheus

key_value-onchange

feature/output_streams

AnotherKamila-patch-1

__letsencrypt_cert-fixes

letsencrypt-cron-fix

4.7

newtype-__letsencrypt_cert

os_explorer_devuan_fix

prometheus-exporter-fixes

daemontools-for-fbsd

type-prometheus-exporter-from-master

prometheus-more-fixes

4.6

4.5

fix-j

steven-backport

4.4

prometheus-fixes

grafana_dashboard

prometheus

daemontools

consul_improvements

feature/trigger

4.3

4.0-pre-not-stable

4.2

4.1

4.0

feature_install_and_preos

3.1

no-dot-cdist

random_dot_cdist

feature_yum_url

feature_files_export

3.0

2.3

2.2

2.1

ssh_callback

2.0

archive_shell_function_approach

1.7

1.6

1.5

1.4

1.3

1.2

1.1

1.0

7.0.0

6.9.8

6.9.7

6.9.6

6.9.5

6.9.4

6.9.3

6.9.2

6.9.1

6.9.0

6.8.0

6.7.0

6.6.0

6.5.6

6.5.5

6.5.4

6.5.3

6.5.2

6.5.1

6.5.0

6.4.0

6.3.0

6.2.0

6.1.1

6.1.0

6.0.4

6.0.3

6.0.2

6.0.1

6.0.0

5.1.3

5.1.2

5.1.1

5.1.0

5.0.2

5.0.1

5.0.0

4.11.1

4.11.0

4.10.11

4.10.10

4.10.9

4.10.8

4.10.7

4.10.6

4.10.5

4.10.4

4.10.3

4.10.2

4.10.1

4.10.0

4.9.1

4.9.0

4.8.4

4.8.3

4.8.2

4.8.1

4.8.0

4.7.3

4.7.2

4.7.1

4.7.0

4.6.1

4.6.0

4.5.0

4.4.4

4.4.3

4.4.2

4.4.1

4.4.0

4.3.2

4.3.1

4.3.0

4.2.2

4.2.1

4.2.0

4.1.0

4.0.0

3.1.13

tn1

3.1.12

3.1.11

3.1.10

3.1.9

3.1.8

3.1.7

3.1.6

4.0.0pre3

3.1.5

3.1.4

3.1.3

3.1.2

3.1.1

3.1.0

4.0.0pre2

3.0.9

3.0.8

3.0.7

3.0.6

3.0.5

3.0.4

3.0.3

4.0.0pre1

3.0.2

3.0.1

3.0.0

2.3.7

2.3.6

2.3.5

2.3.4

2.3.3

2.3.2

2.3.1

2.3.0

2.2.0

2.1.2

2.1.1

2.1.0

2.1.0pre8

2.1.0pre7

2.1.0pre6

2.0.15

2.1.0pre5

2.1.0pre4

2.1.0pre3

2.1.0pre2

2.1.0pre1

2.0.14

2.0.13

2.0.12

2.0.11

2.0.10

2.0.9

2.0.8

2.0.7

2.0.6

2.0.5

2.0.4

2.0.3

2.0.2

2.0.1

2.0.0

1.7.1

1.7.0

1.6.2

1.6.1

1.6.0

1.5.0

1.4.1

1.4.0

1.3.2

1.3.1

1.3.0

1.2.0

1.1.0

1.0.4

1.0.3

1.0.2

1.0.1

1.0.0

0.9.9

0.9.8

0.9.7

0.9.6

0.9.5

0.9.4

0.9.3

0.9.2

0.9.1

0.9

0.8

0.7

0.6

0.5

0.4

0.3

0.2

0.1

Labels

Clear labels   

bugfix

  

cleanup

  

discussion

  

documentation

  

doing

  

done

  

feature

  

improvement

  

packaging

  

Stale

  

testing

  

TODO

No Label

bugfix

cleanup

discussion

documentation

doing

done

feature

improvement

packaging

Stale

testing

TODO

Milestone

Clear milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

No Assignees

1 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: ungleich-public/cdist#54

No description provided.