executing sudo from ruby

Discussion in 'Ruby' started by anansi, Jun 13, 2007.

  1. anansi

    anansi Guest

    hi,
    I wanna execute in a script of mine commands like: "sudo apt-get clean"
    or "sudo nano /etc/X11/xorg.conf". The difference is:

    The first command needs to be executed without influence to the main
    process of the ruby scipt. It should simply be started as a second
    process totally independent from the ruby-script which invokes it.
    I think system("sudo apt-get clean") would be the right command.

    The second command should be this way that it is the only one after it
    has been executed. So the ruby-script should be stopped and therefor in
    the same console nano should be opened.
    I think exec("sudo nano /etc/X11/xorg.conf") would be the right command.

    But my problem is the password of sudo? How can I make my ruby-scipt
    give the password to sudo so I don't have to give it in every time?


    --
    greets

    one must still have chaos in oneself to be able to
    give birth to a dancing star
     
    anansi, Jun 13, 2007
    #1
    1. Advertising

  2. anansi

    Morten Guest

    anansi wrote:
    > hi,
    > I wanna execute in a script of mine commands like: "sudo apt-get clean"
    > or "sudo nano /etc/X11/xorg.conf". The difference is:
    >
    > The first command needs to be executed without influence to the main
    > process of the ruby scipt. It should simply be started as a second
    > process totally independent from the ruby-script which invokes it.
    > I think system("sudo apt-get clean") would be the right command.
    >
    > The second command should be this way that it is the only one after it
    > has been executed. So the ruby-script should be stopped and therefor in
    > the same console nano should be opened.
    > I think exec("sudo nano /etc/X11/xorg.conf") would be the right command.
    >
    > But my problem is the password of sudo? How can I make my ruby-scipt
    > give the password to sudo so I don't have to give it in every time?
    >
    >


    Set NOPASSWD in your sudoers file for the given commands, eg.:

    sudoeruser ALL=(ALL) NOPASSWD: /usr/bin/nano,/usr/bin/apt-get


    Morten
     
    Morten, Jun 13, 2007
    #2
    1. Advertising

  3. anansi

    anansi Guest

    thanks for your answers but that are no options here. I know hardcoded
    passes are in generally a bad idea but it's really needed here and safe.
    This is just a personal code on an offline pc with a highly encrypted
    partitions...

    Is there no way to give the pass as argument or pipe it or kind if that?
    But as said I need a technique working in both cases mentioned in the
    first post.

    Morten wrote:
    > anansi wrote:
    >> hi,
    >> I wanna execute in a script of mine commands like: "sudo apt-get
    >> clean" or "sudo nano /etc/X11/xorg.conf". The difference is:
    >>
    >> The first command needs to be executed without influence to the main
    >> process of the ruby scipt. It should simply be started as a second
    >> process totally independent from the ruby-script which invokes it.
    >> I think system("sudo apt-get clean") would be the right command.
    >>
    >> The second command should be this way that it is the only one after it
    >> has been executed. So the ruby-script should be stopped and therefor
    >> in the same console nano should be opened.
    >> I think exec("sudo nano /etc/X11/xorg.conf") would be the right command.
    >>
    >> But my problem is the password of sudo? How can I make my ruby-scipt
    >> give the password to sudo so I don't have to give it in every time?
    >>
    >>

    >
    > Set NOPASSWD in your sudoers file for the given commands, eg.:
    >
    > sudoeruser ALL=(ALL) NOPASSWD: /usr/bin/nano,/usr/bin/apt-get
    >
    >
    > Morten



    --
    greets

    one must still have chaos in oneself to be able to
    give birth to a dancing star
     
    anansi, Jun 13, 2007
    #3
  4. anansi

    Alex Young Guest

    anansi wrote:
    > hi,
    > I wanna execute in a script of mine commands like: "sudo apt-get clean"
    > or "sudo nano /etc/X11/xorg.conf". The difference is:
    >
    > The first command needs to be executed without influence to the main
    > process of the ruby scipt. It should simply be started as a second
    > process totally independent from the ruby-script which invokes it.
    > I think system("sudo apt-get clean") would be the right command.
    >
    > The second command should be this way that it is the only one after it
    > has been executed. So the ruby-script should be stopped and therefor in
    > the same console nano should be opened.
    > I think exec("sudo nano /etc/X11/xorg.conf") would be the right command.
    >
    > But my problem is the password of sudo? How can I make my ruby-scipt
    > give the password to sudo so I don't have to give it in every time?
    >
    >

    Wouldn't a setuid root script that actually calls the executable you're
    aiming at do what you need here?

    --
    Alex
     
    Alex Young, Jun 13, 2007
    #4
  5. anansi

    anansi Guest

    the thing is that everything needs to be done by this script and no
    further command. So can an app give it self the root uid at runtime?

    Alex Young wrote:
    > anansi wrote:
    >> hi,
    >> I wanna execute in a script of mine commands like: "sudo apt-get
    >> clean" or "sudo nano /etc/X11/xorg.conf". The difference is:
    >>
    >> The first command needs to be executed without influence to the main
    >> process of the ruby scipt. It should simply be started as a second
    >> process totally independent from the ruby-script which invokes it.
    >> I think system("sudo apt-get clean") would be the right command.
    >>
    >> The second command should be this way that it is the only one after it
    >> has been executed. So the ruby-script should be stopped and therefor
    >> in the same console nano should be opened.
    >> I think exec("sudo nano /etc/X11/xorg.conf") would be the right command.
    >>
    >> But my problem is the password of sudo? How can I make my ruby-scipt
    >> give the password to sudo so I don't have to give it in every time?
    >>
    >>

    > Wouldn't a setuid root script that actually calls the executable you're
    > aiming at do what you need here?
    >



    --
    greets

    one must still have chaos in oneself to be able to
    give birth to a dancing star
     
    anansi, Jun 13, 2007
    #5
  6. anansi

    Alex Young Guest

    anansi wrote:
    > the thing is that everything needs to be done by this script and no
    > further command. So can an app give it self the root uid at runtime?

    After a little experimentation (on Ubuntu), it would seem that the only
    way to get my suggestion to work is by creating a setuid link to the
    ruby binary, and using that to run the script. That's just as insecure
    as keeping a password in a file, so I take back my suggestion entirely.

    A slightly less unsafe method (but still rather iffy) would be to create
    a public key for the root account, and do everything over SSH. That way
    you can arrange to only need to authenticate once per session (or, if
    you really want to play fast and loose, leave the private key with an
    empty passphrase). I don't know if that helps at all...

    --
    Alex

    >
    > Alex Young wrote:
    >> anansi wrote:
    >>> hi,
    >>> I wanna execute in a script of mine commands like: "sudo apt-get
    >>> clean" or "sudo nano /etc/X11/xorg.conf". The difference is:
    >>>
    >>> The first command needs to be executed without influence to the main
    >>> process of the ruby scipt. It should simply be started as a second
    >>> process totally independent from the ruby-script which invokes it.
    >>> I think system("sudo apt-get clean") would be the right command.
    >>>
    >>> The second command should be this way that it is the only one after
    >>> it has been executed. So the ruby-script should be stopped and
    >>> therefor in the same console nano should be opened.
    >>> I think exec("sudo nano /etc/X11/xorg.conf") would be the right command.
    >>>
    >>> But my problem is the password of sudo? How can I make my ruby-scipt
    >>> give the password to sudo so I don't have to give it in every time?
    >>>
    >>>

    >> Wouldn't a setuid root script that actually calls the executable
    >> you're aiming at do what you need here?
    >>

    >
    >
     
    Alex Young, Jun 13, 2007
    #6
  7. On 13-Jun-07, at 8:40 AM, anansi wrote:

    > the thing is that everything needs to be done by this script and no
    > further command. So can an app give it self the root uid at runtime?


    If you aren't worried about security, you might try expect. Using
    expect you can define responses to prompts, e.g. responding with the
    password.

    ----
    Bob Hutchison -- tumblelog at <http://
    www.recursive.ca/so/>
    Recursive Design Inc. -- weblog at <http://www.recursive.ca/
    hutch>
    -- works at <http://www.recursive.ca/>
     
    Bob Hutchison, Jun 13, 2007
    #7
  8. anansi

    Ken Bloom Guest

    On Wed, 13 Jun 2007 22:19:16 +0900, Alex Young wrote:

    > anansi wrote:
    >> the thing is that everything needs to be done by this script and no
    >> further command. So can an app give it self the root uid at runtime?

    > After a little experimentation (on Ubuntu), it would seem that the only
    > way to get my suggestion to work is by creating a setuid link to the
    > ruby binary, and using that to run the script. That's just as insecure
    > as keeping a password in a file, so I take back my suggestion entirely.
    >
    > A slightly less unsafe method (but still rather iffy) would be to create
    > a public key for the root account, and do everything over SSH. That way
    > you can arrange to only need to authenticate once per session (or, if
    > you really want to play fast and loose, leave the private key with an
    > empty passphrase). I don't know if that helps at all...


    To run your editor, you'd probably need to use the -t option of ssh to
    alloate a pseudo-tty.

    You can configure the SSH keypair so that it's only authorized to run a
    couple of specific commands, which should help with security. Also, be
    sure to use "nano -R" so that the user can't edit other files.

    The exec() call is wrong, because that replaces the running ruby script
    with a different process, and the ruby script can't terminate. system()
    is correct for the second case too.

    --
    Ken Bloom. PhD candidate. Linguistic Cognition Laboratory.
    Department of Computer Science. Illinois Institute of Technology.
    http://www.iit.edu/~kbloom1/
     
    Ken Bloom, Jun 13, 2007
    #8
  9. anansi

    anansi Guest

    anansi, Jun 13, 2007
    #9
  10. On 13-Jun-07, at 12:35 PM, anansi wrote:

    > thanks for the hint but I only found this about expect:http://
    > www.ruby-doc.org/stdlib/libdoc/pty/rdoc/classes/IO.html#M001710
    > . Is there any better doc or examples for this ?


    I used the unix version of the command directly. The man page is
    useful I thought. I've never used the ruby expect classes but imagine
    that they would be doing something similar.

    Cheers,
    Bob

    >
    >
    > --
    > greets
    >
    > one must still have chaos in oneself to be able
    > to give birth to a dancing star
    >


    ----
    Bob Hutchison -- tumblelog at <http://
    www.recursive.ca/so/>
    Recursive Design Inc. -- weblog at <http://www.recursive.ca/
    hutch>
    -- works at <http://www.recursive.ca/>
     
    Bob Hutchison, Jun 13, 2007
    #10
  11. anansi

    Damjan Rems Guest

    Alex Young wrote:
    > anansi wrote:
    >> the thing is that everything needs to be done by this script and no
    >> further command. So can an app give it self the root uid at runtime?

    > After a little experimentation (on Ubuntu), it would seem that the only
    > way to get my suggestion to work is by creating a setuid link to the
    > ruby binary, and using that to run the script. That's just as insecure
    > as keeping a password in a file, so I take back my suggestion entirely.
    >
    > A slightly less unsafe method (but still rather iffy) would be to create
    > a public key for the root account, and do everything over SSH. That way
    > you can arrange to only need to authenticate once per session (or, if
    > you really want to play fast and loose, leave the private key with an
    > empty passphrase). I don't know if that helps at all...
    >
    > --
    > Alex


    How about running job in a cron under root user.

    sudo kcron (in kde) will start kcron in mode where you can schedule a
    job to run as any user.

    by

    TheR

    --
    Posted via http://www.ruby-forum.com/.
     
    Damjan Rems, Jun 13, 2007
    #11
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Tim Daneliuk

    Running Python Scripts With 'sudo'

    Tim Daneliuk, Mar 2, 2005, in forum: Python
    Replies:
    2
    Views:
    451
    Jeff Epler
    Mar 2, 2005
  2. Replies:
    5
    Views:
    6,198
    Dennis Lee Bieber
    Jun 14, 2005
  3. Damien Damien

    Ruby + SSH + Sudo

    Damien Damien, Aug 28, 2006, in forum: Ruby
    Replies:
    10
    Views:
    524
    Rick DeNatale
    Sep 15, 2006
  4. Trans
    Replies:
    2
    Views:
    110
    Trans
    May 20, 2008
  5. mosar
    Replies:
    2
    Views:
    169
    F. Senault
    Mar 16, 2009
Loading...

Share This Page