[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Fab-user] question about sudo executed

From: Christian Vest Hansen
Subject: Re: [Fab-user] question about sudo executed
Date: Thu, 2 Apr 2009 22:16:08 +0200

As you have learned, sudo() actually constructs a sudo command that
calls bash (or whatever fab_shell is) which then calls your real

The reason for this round-about way of sudo'ing can be illustrated thus:

$ sudo echo poke && whoami
$ sudo bash -c "echo poke && whoami"

So we introduce a limitation to what can be expressed in a command by
not going through a shell.

But, I have pushed a change that will allow you to avoid the shell for
a single sudo command by setting a noshell keyword argument to True:

sudo('uptime', noshell=True)

Or, you can turn the shell off for all subsequent calls to sudo by
setting the fab_sudo_noshell variable on config to True:


But of these approaches are subject to the limitation described above,
but you can try them out if you fetch the code from the git
repositories. In fact, please do and tell me if you encounter any
other problems.

2009/4/2 Robert Ramírez Vique <address@hidden>:
> Hello,
> I am trying to execute a sudo command on one server, my problem is that in
> the remote server I got this error:
> [bronx] sudo: sudo -S -p 'sudo password:'  /bin/bash -l -c  "uptime"
> [bronx] err: Sorry, user devel is not allowed to execute '/bin/bash -l -c
> uptime' as root on bronx.
> Error: The sudo operation failed on bronx.
> here is the code of my fabfil:
> def test():
>     sudo('uptime')
> The problem probably is something I've something badly configured because
> the system is trying to execute "/bin/bash -l -c uptime", and I have to give
> sudo access (in the sudoers file) to the user devel on this command, to
> every command I want to execute, including things like "/bin/bash -l -c
> /etc/init.d/nginx start", "/bin/bash -l -c /etc/init.d/nginx stop",
> "/bin/bash -l -c /etc/init.d/nginx reload" ... The other option is to give
> access to /bin/bash, but this is clearly not the correct solution, due
> security issues.
> I tried to changing the fab_shell to nothing (''), but then the run methods
> don't work. Don't know any other option
> I am using the last Fabric 0.1.0 installed with easy_install, on an ubuntu
> 8.04
> Do you have any idea? any configuration I am missing ?
> cheers,
>       Robert Ramírez Vique
>       Computer Science Engineer
> Bob Hope  - "You know you are getting old when the candles cost more than
> the cake."
> _______________________________________________
> Fab-user mailing list
> address@hidden
> http://lists.nongnu.org/mailman/listinfo/fab-user

Venlig hilsen / Kind regards,
Christian Vest Hansen.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]