New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

"Git user is able to sudo to Redmine user?" fails with non-login shell #377

Closed
nicesw123 opened this Issue Mar 10, 2015 · 11 comments

Comments

Projects
None yet
2 participants
@nicesw123

nicesw123 commented Mar 10, 2015

Hi there,

I've just installed release 1.0.1 under Apache (under Debian jessie [stable soon!]), so my Redmine user is www-data

Everything is working correcly.

But - as far as I can tell - the Config Test regarding "Git user is able to sudo to Redmine user?" is displayed incorrectly ...
config_test

  • /etc/sudoers.d/redmine_git_hosting
    is correct

    www-data     ALL=(git)       NOPASSWD:ALL
    git     ALL=(www-data)       NOPASSWD:ALL
    

    as it should be.

  • Testing sudo manually is also perfect, if care is taken...:

    ### Test git -> sudo to -> www-data
    ###################################
    USR@redminedebian:~$ sudo su - git
    
    git@redminedebian:~$ sudo -u www-data -i whoami
              This account is currently not available.                ### OOPS!!!!
         ### This is because 
         ### login-shell of www-data is now (new!): /usr/sbin/nologin
         ### So instead do this:
    
    git@redminedebian:~$ sudo -u www-data whoami                      ### works perfectly
              www-data
    git@redminedebian:~$ exit
    
    
    ### Test www-data -> sudo to -> git
    ###################################
    USR@redminedebian:~$ sudo su - www-data
             This account is currently not available.                 ### OOPS!!!!
         ### This is because 
         ### login-shell of www-data is now (new!): /usr/sbin/nologin
         ### So instead do this:
    
    USR@redminedebian:~$ sudo -u www-data      sudo -u git whoami     ### works perfectly
              git
    
    
    ### Test both directions, in one step! ;)
    ###################################
    USR@redminedebian:~$ sudo su - git
    git@redminedebian:~$ sudo -u www-data     sudo -u git   sudo -u www-data  whoami  ### works perfectly
              www-data
    

    So note this difference regarding login-shell of www-data, between Debian Wheezy and Debian Jessie

    ### Debian Wheezy (using Apache 2.2) ############
    USR@my_wheezy:~$ cat /etc/passwd | grep www-data
           www-data:x:33:33:www-data:/var/www:/bin/sh
    
    ### Debian Jessie (using Apache 2.4) NEW!! ############
    USR@my_jessie:~$ cat /etc/passwd | grep www-data
           www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
    

.
.

I suspect (??) the Config Test, may try to sudo from git to a shell-of-www-data. This will not work.
Oh hey, I've found the spot in the code:

redmine_git_hosting/lib/redmine_git_hosting/config/gitolite_config_tests.rb#L81

I would probably change it to:

 RedmineGitHosting::Commands.sudo_capture('sudo', '-n', '-u', redmine_user, 'whoami')

The -i flag opens a login-shell, but for new Apache on Debian (jessie and newer) ... the login-shell is disabled (so leave the -i flag away)

(Hmmm... Are there any other related code-spots that need to be fixed because of this? hmmm)

@nicesw123

This comment has been minimized.

Show comment
Hide comment
@nicesw123

nicesw123 Mar 10, 2015

Oh... in the same way, I would also update

https://jbox-web.github.io/redmine_git_hosting/howtos/install/#step-2-create-ssh-keys-for-user-running-redmine

to the following:

root$ sudo -u redmine ssh-keygen -N '' -f REDMINE_ROOT/plugins/redmine_git_hosting/ssh_keys/redmine_gitolite_admin_id_rsa

(Good for those user's like me, who have www-data as redmine user)

nicesw123 commented Mar 10, 2015

Oh... in the same way, I would also update

https://jbox-web.github.io/redmine_git_hosting/howtos/install/#step-2-create-ssh-keys-for-user-running-redmine

to the following:

root$ sudo -u redmine ssh-keygen -N '' -f REDMINE_ROOT/plugins/redmine_git_hosting/ssh_keys/redmine_gitolite_admin_id_rsa

(Good for those user's like me, who have www-data as redmine user)

@n-rodriguez

This comment has been minimized.

Show comment
Hide comment
@n-rodriguez

n-rodriguez Mar 12, 2015

Member

(Hmmm... Are there any other related code-spots that need to be fixed because of this? hmmm)

https://github.com/jbox-web/redmine_git_hosting/blob/devel/lib/redmine_git_hosting/commands.rb#L136

Member

n-rodriguez commented Mar 12, 2015

(Hmmm... Are there any other related code-spots that need to be fixed because of this? hmmm)

https://github.com/jbox-web/redmine_git_hosting/blob/devel/lib/redmine_git_hosting/commands.rb#L136

@nicesw123

This comment has been minimized.

Show comment
Hide comment
@nicesw123

nicesw123 Mar 12, 2015

Hi Nicolas,

(Hmmm... Are there any other related code-spots that need to be fixed because of this? hmmm)

https://github.com/jbox-web/redmine_git_hosting/blob/devel/lib/redmine_git_hosting/commands.rb#L136

When sudoing from redmine (www-data) into the git user, -i is ok:

### Test www-data -> sudo to -> git
###################################
root@redminedebian:~$ sudo -n -u www-data      sudo -n -u git -i whoami     ### perfect
          git                                                #^^

(Therefore the code you mention commands.rb#L136 is ok!)

But when sudoing from git into redmine (www-data), then -i should not be used (->because in Debian Jessie... www-data has /usr/sbin/nologin):

### Test git -> sudo to -> www-data
###################################
root@redminedebian:~$ sudo -n -u git -i      sudo -n -u www-data    whoami     ### perfect
          www-data                                              #^^

Therefore the following should be changed:
gitolite_config_tests.rb#L81
create-ssh-keys-for-user-running-redmine

Thanks for this plugin! ;)

nicesw123 commented Mar 12, 2015

Hi Nicolas,

(Hmmm... Are there any other related code-spots that need to be fixed because of this? hmmm)

https://github.com/jbox-web/redmine_git_hosting/blob/devel/lib/redmine_git_hosting/commands.rb#L136

When sudoing from redmine (www-data) into the git user, -i is ok:

### Test www-data -> sudo to -> git
###################################
root@redminedebian:~$ sudo -n -u www-data      sudo -n -u git -i whoami     ### perfect
          git                                                #^^

(Therefore the code you mention commands.rb#L136 is ok!)

But when sudoing from git into redmine (www-data), then -i should not be used (->because in Debian Jessie... www-data has /usr/sbin/nologin):

### Test git -> sudo to -> www-data
###################################
root@redminedebian:~$ sudo -n -u git -i      sudo -n -u www-data    whoami     ### perfect
          www-data                                              #^^

Therefore the following should be changed:
gitolite_config_tests.rb#L81
create-ssh-keys-for-user-running-redmine

Thanks for this plugin! ;)

@n-rodriguez

This comment has been minimized.

Show comment
Hide comment
@n-rodriguez

n-rodriguez Mar 12, 2015

Member

Therefore the code you mention commands.rb#L136 is ok!. But when sudoing from git into redmine (www-data), then -i should not be used (->because in Debian Jessie... www-data has /usr/sbin/nologin):

Thanks for this precisions. But this makes me realize that the sudo test git -> redmine is quiet useless as we never execute shell commands in this 'direction'.

Member

n-rodriguez commented Mar 12, 2015

Therefore the code you mention commands.rb#L136 is ok!. But when sudoing from git into redmine (www-data), then -i should not be used (->because in Debian Jessie... www-data has /usr/sbin/nologin):

Thanks for this precisions. But this makes me realize that the sudo test git -> redmine is quiet useless as we never execute shell commands in this 'direction'.

@n-rodriguez

This comment has been minimized.

Show comment
Hide comment
@n-rodriguez

n-rodriguez Mar 12, 2015

Member

This test is here for historical reasons, but I think it should even work without having the sudo config for the git user.

Member

n-rodriguez commented Mar 12, 2015

This test is here for historical reasons, but I think it should even work without having the sudo config for the git user.

@nicesw123

This comment has been minimized.

Show comment
Hide comment
@nicesw123

nicesw123 Mar 12, 2015

Ah ok, right! ;) Hehe
The "source" is redmine (via webbrowser) and this triggers to git when needed, not the other way...

nicesw123 commented Mar 12, 2015

Ah ok, right! ;) Hehe
The "source" is redmine (via webbrowser) and this triggers to git when needed, not the other way...

@n-rodriguez

This comment has been minimized.

Show comment
Hide comment
@n-rodriguez

n-rodriguez Mar 12, 2015

Member

The "source" is redmine (via webbrowser) and this triggers to git when needed.

Yes

Member

n-rodriguez commented Mar 12, 2015

The "source" is redmine (via webbrowser) and this triggers to git when needed.

Yes

@nicesw123

This comment has been minimized.

Show comment
Hide comment
@nicesw123

nicesw123 Mar 12, 2015

If this is so, then
https://jbox-web.github.io/redmine_git_hosting/howtos/install/#step-5-configure-sudo
can probably also become one line shorter:

root$ visudo
# Add these lines
redmine        ALL=(git)      NOPASSWD:ALL

nicesw123 commented Mar 12, 2015

If this is so, then
https://jbox-web.github.io/redmine_git_hosting/howtos/install/#step-5-configure-sudo
can probably also become one line shorter:

root$ visudo
# Add these lines
redmine        ALL=(git)      NOPASSWD:ALL
@n-rodriguez

This comment has been minimized.

Show comment
Hide comment
@n-rodriguez

n-rodriguez Mar 12, 2015

Member

Exactly. I'm testing it right now.

Member

n-rodriguez commented Mar 12, 2015

Exactly. I'm testing it right now.

@nicesw123

This comment has been minimized.

Show comment
Hide comment
@nicesw123

nicesw123 Mar 12, 2015

Cool, thanks a lot!

nicesw123 commented Mar 12, 2015

Cool, thanks a lot!

@n-rodriguez n-rodriguez changed the title from Config Test ("Git user is able to sudo to Redmine user?") not correcly displayed to "Git user is able to sudo to Redmine user?" fails with non-login shell Mar 12, 2015

@n-rodriguez n-rodriguez self-assigned this Mar 12, 2015

@n-rodriguez n-rodriguez added this to the v1.0.2 milestone Mar 12, 2015

@n-rodriguez n-rodriguez added the bug label Mar 12, 2015

@nicesw123

This comment has been minimized.

Show comment
Hide comment
@nicesw123

nicesw123 Mar 13, 2015

Ok great, thanks.

Just note: the following could also be updated:
http://redmine-git-hosting.io/get_started/#step-3-create-ssh-keys-for-user-running-redmine
to the following:

root# sudo -u redmine ssh-keygen -N '' -f REDMINE_ROOT/plugins/redmine_git_hosting/ssh_keys/redmine_gitolite_admin_id_rsa

nicesw123 commented Mar 13, 2015

Ok great, thanks.

Just note: the following could also be updated:
http://redmine-git-hosting.io/get_started/#step-3-create-ssh-keys-for-user-running-redmine
to the following:

root# sudo -u redmine ssh-keygen -N '' -f REDMINE_ROOT/plugins/redmine_git_hosting/ssh_keys/redmine_gitolite_admin_id_rsa
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment