[Fab-user] can't use /bin/bash -l -c or /bin/su -c

Hi Julien,

Have you tried using the "shell" argument to disable shell wrapping? e.g.

sudo('uptime', shell=False)

See
http://docs.fabfile.org/en/1.7/api/core/operations.html#fabric.operations.run

Regards,

Ronan Amicel

On Thu, Aug 22, 2013 at 12:34 AM, julien silverston <

Post by julien silverston
Hello,
I'm very please with Fabric and I use it with a lot success to manage my
servers.
Even convinced my collegues to use it.
But actually for security reason, mostly to avoid shell escape I can't use
it.
@task
run('sudo su -c "uname -a"')
sudo('uptime')
[serverX] Executing task 'host_type'
[serverX] run: sudo su -c "uname -a"
[serverX] out: Sorry, user me is not allowed to execute '/bin/su -c uname
-a' as root on serverX.
Warning: run() received nonzero return code 1 while executing 'sudo su -c
"uname -a"'!
[serverX] sudo: uptime
[serverX] out: Sorry, user me is not allowed to execute '/bin/bash -l -c
uptime' as root on serverX.
Warning: sudo() received nonzero return code 1 while executing 'uptime'!
I know how to setup sudoers, but for company policies I can't change it.
!/bin/bash,!/bin/su
I tried to use env.shell = "" , pty=False but with no success.
How I can update Fabric and others framework, like cuisine to continue to
use Fabric despite this rule that I can't change.
I can change all sudo command for run('sudo xxx') but will ask my password
each time and I can use cuisine anymore.
Thank you,
Julien
_______________________________________________
Fab-user mailing list
https://lists.nongnu.org/mailman/listinfo/fab-user

julien silverston

2013-09-26 16:19:22 UTC

Hello Ronan,

You're right, works fine.

But without bash I'm losing Fabric killer features :

I mean, can't use anymore :

"with cd"
sudo('command xx | command yy')
sudo('echo xxx > /etc/X.conf')
or fabric.contrib llike append despite using shell=False

Do you know any workaround ?

Thnak you

Julien

Post by Ronan Amicel
Hi Julien,
Have you tried using the "shell" argument to disable shell wrapping? e.g.
sudo('uptime', shell=False)
See
http://docs.fabfile.org/en/1.7/api/core/operations.html#fabric.operations.run
Regards,
Ronan Amicel
On Thu, Aug 22, 2013 at 12:34 AM, julien silverston <

Post by julien silverston
Hello,
I'm very please with Fabric and I use it with a lot success to manage my
servers.
Even convinced my collegues to use it.
But actually for security reason, mostly to avoid shell escape I can't
use it.
@task
run('sudo su -c "uname -a"')
sudo('uptime')
[serverX] Executing task 'host_type'
[serverX] run: sudo su -c "uname -a"
[serverX] out: Sorry, user me is not allowed to execute '/bin/su -c uname
-a' as root on serverX.
Warning: run() received nonzero return code 1 while executing 'sudo su -c
"uname -a"'!
[serverX] sudo: uptime
[serverX] out: Sorry, user me is not allowed to execute '/bin/bash -l -c
uptime' as root on serverX.
Warning: sudo() received nonzero return code 1 while executing 'uptime'!
I know how to setup sudoers, but for company policies I can't change it.
!/bin/bash,!/bin/su
I tried to use env.shell = "" , pty=False but with no success.
How I can update Fabric and others framework, like cuisine to continue to
use Fabric despite this rule that I can't change.
I can change all sudo command for run('sudo xxx') but will ask my
password each time and I can use cuisine anymore.
Thank you,
Julien
_______________________________________________
Fab-user mailing list
https://lists.nongnu.org/mailman/listinfo/fab-user

Jeff Forcier

2013-09-26 17:51:20 UTC

Hi Julien,

Unfortunately one can't have both a locked-down sudoers configuration
*and* allow bash as a sudo command - doesn't make sense.

If you own the system and can change the sudoers config, then that
tradeoff is up to you. If policy prevents you from doing so, then
you're mostly stuck using "non-shell" commands, as you mentioned.

-Jeff

On Thu, Sep 26, 2013 at 9:19 AM, julien silverston

Post by julien silverston
Hello Ronan,
You're right, works fine.
"with cd"
sudo('command xx | command yy')
sudo('echo xxx > /etc/X.conf')
or fabric.contrib llike append despite using shell=False
Do you know any workaround ?
Thnak you
Julien

Post by julien silverston
Hello,
I'm very please with Fabric and I use it with a lot success to manage my
servers.
Even convinced my collegues to use it.
But actually for security reason, mostly to avoid shell escape I can't
use it.
@task
run('sudo su -c "uname -a"')
sudo('uptime')
[serverX] Executing task 'host_type'
[serverX] run: sudo su -c "uname -a"
[serverX] out: Sorry, user me is not allowed to execute '/bin/su -c uname
-a' as root on serverX.
Warning: run() received nonzero return code 1 while executing 'sudo su -c
"uname -a"'!
[serverX] sudo: uptime
[serverX] out: Sorry, user me is not allowed to execute '/bin/bash -l -c
uptime' as root on serverX.
Warning: sudo() received nonzero return code 1 while executing 'uptime'!
I know how to setup sudoers, but for company policies I can't change it.
!/bin/bash,!/bin/su
I tried to use env.shell = "" , pty=False but with no success.
How I can update Fabric and others framework, like cuisine to continue to
use Fabric despite this rule that I can't change.
I can change all sudo command for run('sudo xxx') but will ask my
password each time and I can use cuisine anymore.
Thank you,
Julien
_______________________________________________
Fab-user mailing list
https://lists.nongnu.org/mailman/listinfo/fab-user

_______________________________________________
Fab-user mailing list
https://lists.nongnu.org/mailman/listinfo/fab-user

--
Jeff Forcier
Unix sysadmin; Python/Ruby engineer
http://bitprophet.org

julien silverston

2013-09-26 19:01:32 UTC

I know Jeff :(

I don't own the system and can't change sudo, even at 50% I use Fabric
extensively.
And I regret to not be able to use it more.
I just ask myself about append
fabric.contrib.files.append(*filename*, *text*, *use_sudo=False*, *
partial=False*, *escape=True*, *shell=False*)

Even using shell=True bash is still requiered.

Thank you Jeff for Fabric.

Post by Ronan Amicel
Hi Julien,
Unfortunately one can't have both a locked-down sudoers configuration
*and* allow bash as a sudo command - doesn't make sense.
If you own the system and can change the sudoers config, then that
tradeoff is up to you. If policy prevents you from doing so, then
you're mostly stuck using "non-shell" commands, as you mentioned.
-Jeff
On Thu, Sep 26, 2013 at 9:19 AM, julien silverston

Post by Ronan Amicel
Hi Julien,
Have you tried using the "shell" argument to disable shell wrapping?

e.g.

Post by Ronan Amicel
sudo('uptime', shell=False)
See

http://docs.fabfile.org/en/1.7/api/core/operations.html#fabric.operations.run

Post by Ronan Amicel
Regards,
Ronan Amicel
On Thu, Aug 22, 2013 at 12:34 AM, julien silverston

Post by julien silverston
Hello,
I'm very please with Fabric and I use it with a lot success to manage

Post by julien silverston
servers.
Even convinced my collegues to use it.
But actually for security reason, mostly to avoid shell escape I can't
use it.
@task
run('sudo su -c "uname -a"')
sudo('uptime')
[serverX] Executing task 'host_type'
[serverX] run: sudo su -c "uname -a"
[serverX] out: Sorry, user me is not allowed to execute '/bin/su -c

uname

Post by julien silverston
-a' as root on serverX.
Warning: run() received nonzero return code 1 while executing 'sudo su

-c

Post by julien silverston
"uname -a"'!
[serverX] sudo: uptime
[serverX] out: Sorry, user me is not allowed to execute '/bin/bash -l

-c

Post by julien silverston
uptime' as root on serverX.
Warning: sudo() received nonzero return code 1 while executing

'uptime'!

Post by julien silverston
I know how to setup sudoers, but for company policies I can't change

it.

Post by julien silverston
!/bin/bash,!/bin/su
I tried to use env.shell = "" , pty=False but with no success.
How I can update Fabric and others framework, like cuisine to continue