Using pexpect with 'sudo'



I'm having a problem using pexpect with 'sudo' on Ubuntu 6.06 (Dapper).
Here's the program:

#!/usr/bin/env python
import pexpect
import sys

child = pexpect.spawn("sudo apt-get update")
child.logfile = sys.stdout

i = child.expect(["Password:", pexpect.EOF, pexpect.TIMEOUT])

if i == 0:
print "****************************** sending password"
child.sendline("XXX") # Not my real sudo password
elif i == 1:
print "EOF"

elif i == 2:
print "TIMEOUT"

except Exception:
print "Exception"

The strange thing is that this script runs with no problems (downloads
the repository updates), even though it should fail. It never prints
the "****************************** sending password" line, and even if
it did write the password to the process, it isn't the correct
password. I've done this after a 'sudo -k' to clear the sudo password,
and if I run 'sudo apt-get update' from the command line manually, it
asks for the password every time.

I I change the spawn to:

child = pexpect.spawn("sudo -u <my user name here> apt-get update")

it fails with:

E: Could not open lock file /var/lib/apt/lists/lock - open (13
Permission denied)
E: Unable to lock the list directory

which is expected.

If I'm not going crazy, this seems like a security hole that allows a
user to run any system command without a superuser password.

Any ideas?




Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question