Best IT Recipes

Can I prevent fabrics from asking for my sudo password?

I use Fabric to run commands on a remote server. The user I'm connecting to on this server has some sudo privileges and does not require a password to use these privileges. When SSH'ing is on the server, I can run sudo blah , and the command runs without asking for a password. When I try to run the same command using the Fabric sudo function, I will be prompted for a password. This is because when using sudo :

Fabric creates the command as follows:
 sudo -S -p <sudo_prompt> /bin/bash -l -c "<command>"

Obviously, my user does not have permission to execute /bin/bash without a password.

I worked on the problem using run("sudo blah") instead of sudo("blah") , but I wondered if there was a better solution. Is there any workaround?

+47
python fabric sudo
Sep 17 2018-10-17T00:
source share
8 answers

Try passing shell=False to sudo. This method / bin / bash will not be added to the sudo command. sudo('some_command', shell=False)

From line 503 fabric / operations.py :

 if (not env.use_shell) or (not shell): real_command = "%s %s" % (sudo_prefix, _shell_escape(command))

the else block looks like this:

  # V-- here where /bin/bash is added real_command = '%s %s "%s"' % (sudo_prefix, env.shell, _shell_escape(cwd + command))
+32
Sep 17 '10 at 17:07
source share
— -

You can use:

 fabric.api import env # [...] env.password = 'yourpassword'
+12
May 13 '13 at 15:06
source share

This is the most direct answer to your question: You really have no problem; You misunderstand how the Fabric run () and sudo () functions work.

Your workaround is NOT a workaround, it is a 100% valid answer to the problem.

Here is a simple set of rules: 1) Use "run ()" when you are not expecting a hint. 2) use "sudo ()" when you are expecting a hint. (this should be true for all or most commands that require help, even if the executable is not Bash or Sudo).

The same answer applies to people who try to run commands under "sudo". Even if sudoers has a passwordless configuration for the current user on any system, if you use sudo () instead of run (), then you will be forced to prompt (if the Fabric code already contains a password or ENV key).

By the way, the author of Fabric answered my question - very similar to your question - in #IRC. A good guy, one of the unsung heroes of open source in order to persevere in his work Cloth and Paramiko.

... In my test environment, there is always one username that has full access without a password to sudo. Typing sudo echo hello will not tell you. In addition, this sudo user is set to "! Requiretty", so all commands can work through SSH (for example, switching SSH between hosts). This means that I can simply use "run ()" to execute "sudo something", but this is just another command that runs without a hint. As far as security is concerned, it is some task to block a production node, but not a test node. (If you are forced to check things and cannot automate, this is a huge problem).

+12
Nov 19 '13 at 19:39 on
source share

In the file / etc / sudoers add

 user ALL=NOPASSWD: some_command

where the user is your sudo user, and some_command is the command you want to run using textile, and then on the fabric script, run sudo with shell = False:

 sudo('some_command', shell=False)

it works for me

+6
04 Oct '11 at 18:20
source share

In your /etc/sudoers file you can add

 user ALL=NOPASSWD: /bin/bash

... where user is your Fabric username.

Obviously, you can only do this if you have root access, since /etc/sudoers is only writable by root.

In addition, it is obvious that this is not very safe, since the ability to run /bin/bash leaves you basically essentially, so if you do not have root access and you need to ask sysadmin to do this for you, they probably will not.

+2
Sep 17 '10 at 17:05
source share

Linux noob is here, but I found this question trying to install graphite fabric on ECI AMI. The fabric continues to request the root password.

The supposed trick was to pass the ssh private key file to the file.

 fab -i key.pem graphite_install -H root@servername
+1
Aug 27 '12 at 4:24
source share

You can also use passwords for several machines:

 from fabric import env env.hosts = ['user1@host1:port1', 'user2@host2.port2'] env.passwords = {'user1@host1:port1': 'password1', 'user2@host2.port2': 'password2'}

See this answer: stack overflow

+1
Sep 28 '13 at 12:40
source share

I recently ran into the same problem and found Crossfit_and_Beer's answer confusing.

A supported way to achieve this is to use env.sudo_prefix as described by this github commit (from this PR )

My usage example:

 env.sudo_prefix = 'sudo '
0
Oct 29 '16 at 6:52
source share


More articles:


All Articles