run_script: Avoid requesting sudo password#415
run_script: Avoid requesting sudo password#415JoseExposito wants to merge 1 commit intorhel-lightspeed:mainfrom
Conversation
|
For team members: test commit |
Codecov Report✅ All modified and coverable lines are covered by tests.
Flags with carried forward coverage won't be shown. Click here to find out more.
... and 5 files with indirect coverage changes 🚀 New features to boost your workflow:
|
owtaylor
left a comment
owtaylor
left a comment
There was a problem hiding this comment.
Hmm, so one thing here is that I don't think local commands should ever be executed with a connection to a PTY.
Can you test:
- proc = await asyncio.create_subprocess_exec(*full_command, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+ proc = await asyncio.create_subprocess_exec(*full_command, start_new_session=True, stdin=subprocess.DEVNULL, stdout=subprocess.PIPE, stderr=subprocess.PIPE)and in the local-execution path of ssh.py and see if that by itself fixes the problem. Perhaps we want --non-interactive in addition ... but the difference would be pretty small. I think sudo will never use anything but the terminal for prompting unless -A is explicitly passed in.
NOTE: once we have http mode fully supported, the plan is that local operation will be denied by default, since it's a potential security trap.
| set -euo pipefail | ||
| SCRIPT={script} | ||
| if command -v sudo >/dev/null 2>&1 && command -v systemd-run >/dev/null 2>&1 && sudo -l whoami >/dev/null 2>&1; then | ||
| if command -v sudo >/dev/null 2>&1 && command -v systemd-run >/dev/null 2>&1 && sudo --non-interactive true >/dev/null 2>&1; then |
There was a problem hiding this comment.
The use of sudo -l here is to avoid log noise. For me using sudo -l also prompts for the password and sudo -l --non-interactive also fails. Does that not work for you?
There was a problem hiding this comment.
The -l options works like this in my case (Linux), not sure if it might change in other OS (macOS or similar):
If no command is specified, the -l (list) option will list the allowed (and forbidden) commands for the invoking user (or the user specified by the -U option) on the current host.
If a command is specified and is permitted by sudoers, the fully- qualified path to the command is displayed along with any command line arguments.
For example:
$ sudo --non-interactive true
sudo: a password is required
$ sudo -l --non-interactive true
sudo: a password is required
$ sudo -l true
# Password is requested
/usr/bin/true
That works, and I think it is a cleaner solution. Let me update the MR to use your solution. |
When running the MCP server over HTTP transport, `_wrap_script()` request the sudo password in the terminal. Pipe stdin to os.devnull to avoid hanging on user input. Suggested-by: Owen Taylor <otaylor@fishsoup.net> Closes: rhel-lightspeed#414
JoseExposito
force-pushed
the
do-not-request-sudo-password
branch
from
dbbf8f8 to
fb43755
Compare
|
For team members: test commit |
2 participants
When running the MCP server over HTTP transport,
_wrap_script()request the sudo password in the terminal.Replace the current command to check if sudo fails with non-interactive mode. From the sudo help:
Also, replace
whoamiwithtrue, which simply return successfully, from its man page:Fixes: e6a05df ("RSPEED-2335 Wrap executed commands in sudo+systemd-run where possible (#256)")
Closes: #414