Asp Forum - executing sudo from ruby

mrpink

6/13/2007 11:19:00 AM

hi,
I wanna execute in a script of mine commands like: "sudo apt-get clean"
or "sudo nano /etc/X11/xorg.conf". The difference is:

The first command needs to be executed without influence to the main
process of the ruby scipt. It should simply be started as a second
process totally independent from the ruby-script which invokes it.
I think system("sudo apt-get clean") would be the right command.

The second command should be this way that it is the only one after it
has been executed. So the ruby-script should be stopped and therefor in
the same console nano should be opened.
I think exec("sudo nano /etc/X11/xorg.conf") would be the right command.

But my problem is the password of sudo? How can I make my ruby-scipt
give the password to sudo so I don't have to give it in every time?

--
greets

one must still have chaos in oneself to be able to
give birth to a dancing star

10 Answers

Morten

6/13/2007 12:01:00 PM

anansi wrote:
> hi,
> I wanna execute in a script of mine commands like: "sudo apt-get clean"
> or "sudo nano /etc/X11/xorg.conf". The difference is:
>
> The first command needs to be executed without influence to the main
> process of the ruby scipt. It should simply be started as a second
> process totally independent from the ruby-script which invokes it.
> I think system("sudo apt-get clean") would be the right command.
>
> The second command should be this way that it is the only one after it
> has been executed. So the ruby-script should be stopped and therefor in
> the same console nano should be opened.
> I think exec("sudo nano /etc/X11/xorg.conf") would be the right command.
>
> But my problem is the password of sudo? How can I make my ruby-scipt
> give the password to sudo so I don't have to give it in every time?
>
>

Set NOPASSWD in your sudoers file for the given commands, eg.:

sudoeruser ALL=(ALL) NOPASSWD: /usr/bin/nano,/usr/bin/apt-get

Morten

mrpink

6/13/2007 12:05:00 PM

thanks for your answers but that are no options here. I know hardcoded
passes are in generally a bad idea but it's really needed here and safe.
This is just a personal code on an offline pc with a highly encrypted
partitions...

Is there no way to give the pass as argument or pipe it or kind if that?
But as said I need a technique working in both cases mentioned in the
first post.

Morten wrote:
> anansi wrote:
>> hi,
>> I wanna execute in a script of mine commands like: "sudo apt-get
>> clean" or "sudo nano /etc/X11/xorg.conf". The difference is:
>>
>> The first command needs to be executed without influence to the main
>> process of the ruby scipt. It should simply be started as a second
>> process totally independent from the ruby-script which invokes it.
>> I think system("sudo apt-get clean") would be the right command.
>>
>> The second command should be this way that it is the only one after it
>> has been executed. So the ruby-script should be stopped and therefor
>> in the same console nano should be opened.
>> I think exec("sudo nano /etc/X11/xorg.conf") would be the right command.
>>
>> But my problem is the password of sudo? How can I make my ruby-scipt
>> give the password to sudo so I don't have to give it in every time?
>>
>>
>
> Set NOPASSWD in your sudoers file for the given commands, eg.:
>
> sudoeruser ALL=(ALL) NOPASSWD: /usr/bin/nano,/usr/bin/apt-get
>
>
> Morten

--
greets

one must still have chaos in oneself to be able to
give birth to a dancing star

Alex Young

6/13/2007 12:26:00 PM

anansi wrote:
> hi,
> I wanna execute in a script of mine commands like: "sudo apt-get clean"
> or "sudo nano /etc/X11/xorg.conf". The difference is:
>
> The first command needs to be executed without influence to the main
> process of the ruby scipt. It should simply be started as a second
> process totally independent from the ruby-script which invokes it.
> I think system("sudo apt-get clean") would be the right command.
>
> The second command should be this way that it is the only one after it
> has been executed. So the ruby-script should be stopped and therefor in
> the same console nano should be opened.
> I think exec("sudo nano /etc/X11/xorg.conf") would be the right command.
>
> But my problem is the password of sudo? How can I make my ruby-scipt
> give the password to sudo so I don't have to give it in every time?
>
>
Wouldn't a setuid root script that actually calls the executable you're
aiming at do what you need here?

--
Alex

mrpink

6/13/2007 12:37:00 PM

the thing is that everything needs to be done by this script and no
further command. So can an app give it self the root uid at runtime?

Alex Young wrote:
> anansi wrote:
>> hi,
>> I wanna execute in a script of mine commands like: "sudo apt-get
>> clean" or "sudo nano /etc/X11/xorg.conf". The difference is:
>>
>> The first command needs to be executed without influence to the main
>> process of the ruby scipt. It should simply be started as a second
>> process totally independent from the ruby-script which invokes it.
>> I think system("sudo apt-get clean") would be the right command.
>>
>> The second command should be this way that it is the only one after it
>> has been executed. So the ruby-script should be stopped and therefor
>> in the same console nano should be opened.
>> I think exec("sudo nano /etc/X11/xorg.conf") would be the right command.
>>
>> But my problem is the password of sudo? How can I make my ruby-scipt
>> give the password to sudo so I don't have to give it in every time?
>>
>>
> Wouldn't a setuid root script that actually calls the executable you're
> aiming at do what you need here?
>

--
greets

one must still have chaos in oneself to be able to
give birth to a dancing star

Alex Young

6/13/2007 1:19:00 PM

anansi wrote:
> the thing is that everything needs to be done by this script and no
> further command. So can an app give it self the root uid at runtime?
After a little experimentation (on Ubuntu), it would seem that the only
way to get my suggestion to work is by creating a setuid link to the
ruby binary, and using that to run the script. That's just as insecure
as keeping a password in a file, so I take back my suggestion entirely.

A slightly less unsafe method (but still rather iffy) would be to create
a public key for the root account, and do everything over SSH. That way
you can arrange to only need to authenticate once per session (or, if
you really want to play fast and loose, leave the private key with an
empty passphrase). I don't know if that helps at all...

--
Alex

>
> Alex Young wrote:
>> anansi wrote:
>>> hi,
>>> I wanna execute in a script of mine commands like: "sudo apt-get
>>> clean" or "sudo nano /etc/X11/xorg.conf". The difference is:
>>>
>>> The first command needs to be executed without influence to the main
>>> process of the ruby scipt. It should simply be started as a second
>>> process totally independent from the ruby-script which invokes it.
>>> I think system("sudo apt-get clean") would be the right command.
>>>
>>> The second command should be this way that it is the only one after
>>> it has been executed. So the ruby-script should be stopped and
>>> therefor in the same console nano should be opened.
>>> I think exec("sudo nano /etc/X11/xorg.conf") would be the right command.
>>>
>>> But my problem is the password of sudo? How can I make my ruby-scipt
>>> give the password to sudo so I don't have to give it in every time?
>>>
>>>
>> Wouldn't a setuid root script that actually calls the executable
>> you're aiming at do what you need here?
>>
>
>

Bob Hutchison

6/13/2007 2:13:00 PM

On 13-Jun-07, at 8:40 AM, anansi wrote:

> the thing is that everything needs to be done by this script and no
> further command. So can an app give it self the root uid at runtime?

If you aren't worried about security, you might try expect. Using
expect you can define responses to prompts, e.g. responding with the
password.

----
Bob Hutchison -- tumblelog at <http://
www.recursive.ca/so/>
Recursive Design Inc. -- weblog at <http://www.rec...
hutch>
-- works at <http://www.rec...>

Ken Bloom

6/13/2007 2:38:00 PM

On Wed, 13 Jun 2007 22:19:16 +0900, Alex Young wrote:

> anansi wrote:
>> the thing is that everything needs to be done by this script and no
>> further command. So can an app give it self the root uid at runtime?
> After a little experimentation (on Ubuntu), it would seem that the only
> way to get my suggestion to work is by creating a setuid link to the
> ruby binary, and using that to run the script. That's just as insecure
> as keeping a password in a file, so I take back my suggestion entirely.
>
> A slightly less unsafe method (but still rather iffy) would be to create
> a public key for the root account, and do everything over SSH. That way
> you can arrange to only need to authenticate once per session (or, if
> you really want to play fast and loose, leave the private key with an
> empty passphrase). I don't know if that helps at all...

To run your editor, you'd probably need to use the -t option of ssh to
alloate a pseudo-tty.

You can configure the SSH keypair so that it's only authorized to run a
couple of specific commands, which should help with security. Also, be
sure to use "nano -R" so that the user can't edit other files.

The exec() call is wrong, because that replaces the running ruby script
with a different process, and the ruby script can't terminate. system()
is correct for the second case too.

--
Ken Bloom. PhD candidate. Linguistic Cognition Laboratory.
Department of Computer Science. Illinois Institute of Technology.
http://www.iit.edu...

mrpink

6/13/2007 4:34:00 PM

thanks for the hint but I only found this about
expect:http://www.ruby-doc.org/stdlib/libdoc/pty/rdoc/classes/IO.ht...

.. Is there any better doc or examples for this ?

--
greets

one must still have chaos in oneself to be able to
give birth to a dancing star

Bob Hutchison

6/13/2007 6:25:00 PM

On 13-Jun-07, at 12:35 PM, anansi wrote:

> thanks for the hint but I only found this about expect:http://
> www.ruby-doc.org/stdlib/libdoc/pty/rdoc/classes/IO.html#M001710
> . Is there any better doc or examples for this ?

I used the unix version of the command directly. The man page is
useful I thought. I've never used the ruby expect classes but imagine
that they would be doing something similar.

Cheers,
Bob

>
>
> --
> greets
>
> one must still have chaos in oneself to be able
> to give birth to a dancing star
>

----
Bob Hutchison -- tumblelog at <http://
www.recursive.ca/so/>
Recursive Design Inc. -- weblog at <http://www.rec...
hutch>
-- works at <http://www.rec...>

Damjan Rems

6/13/2007 7:45:00 PM

Alex Young wrote:
> anansi wrote:
>> the thing is that everything needs to be done by this script and no
>> further command. So can an app give it self the root uid at runtime?
> After a little experimentation (on Ubuntu), it would seem that the only
> way to get my suggestion to work is by creating a setuid link to the
> ruby binary, and using that to run the script. That's just as insecure
> as keeping a password in a file, so I take back my suggestion entirely.
>
> A slightly less unsafe method (but still rather iffy) would be to create
> a public key for the root account, and do everything over SSH. That way
> you can arrange to only need to authenticate once per session (or, if
> you really want to play fast and loose, leave the private key with an
> empty passphrase). I don't know if that helps at all...
>
> --
> Alex

How about running job in a cron under root user.

sudo kcron (in kde) will start kcron in mode where you can schedule a
job to run as any user.

by

TheR

--
Posted via http://www.ruby-....

comp.lang.ruby

executing sudo from ruby

mrpink

Morten

mrpink

Alex Young

mrpink

Alex Young

Bob Hutchison

Ken Bloom

mrpink

Bob Hutchison

Damjan Rems

x Login to ForumsZone