Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot run setuid commands like sudo with spawn #104

Closed
cchiu1 opened this issue Aug 13, 2014 · 6 comments
Closed

Cannot run setuid commands like sudo with spawn #104

cchiu1 opened this issue Aug 13, 2014 · 6 comments
Assignees
@jquast
Labels
bug

Comments

@cchiu1
Copy link

cchiu1 commented Aug 13, 2014

I installed the pexpect on Python 2.7.7 and CentOS 6.5.
On a terminal, I can run "sudo ls".
However, if I put "pexpect.spawn('sudo ls')" in a Python script, I always get the exception "The command was not found or was not executable: sudo.".
I confirmed that "sudo" is in /usr/bin/.
How do I make it executable for "pexpect"?
@jquast
Copy link
Member

jquast commented Aug 13, 2014

can you please try instead:
pexpect.spawn('sudo', ['ls'])

@jquast
Copy link
Member

jquast commented Aug 13, 2014

And also:

import os
'/usr/bin' in os.environ['PATH'].split(os.pathsep) # should print True

@jquast
Copy link
Member

jquast commented Aug 13, 2014

I see the problem, it is a regression of my recent "which" change. It does not "appear executable" ?

---s--x--x. 1 root root 123832 Feb 22 2013 /usr/bin/sudo

@cchiu1: Use this as a workaround until we can release a fix please!

>>> p=pexpect.spawn('bash', ['-c', 'sudo ls'])
>>> p.expect(pexpect.EOF)
0
>>> p.before
'bin\t\t      pylint.cfg\t\t setup.cfg\r\nbuild(...)'

@jquast jquast changed the title Cannot run commands with sudo Cannot run setuid commands like sudo with spawn Aug 13, 2014
@jquast jquast self-assigned this Aug 13, 2014
@jquast
Copy link
Member

jquast commented Aug 13, 2014

So we have learned you may execute files that you may not read !

$ file `which sudo`
/usr/bin/sudo: setuid executable, regular file, no read permission
$ cat `which sudo`
cat: /usr/bin/sudo: Permission denied

@jquast jquast added the bug label Aug 13, 2014
jquast added a commit that referenced this issue Aug 25, 2014
@jquast
Closes issue #104 -- cannot execute sudo(8)
67e6c4a 
Previously, misinterpreted that os.access(file, X_OK)
always returns True on Solaris.  Yes, but only for
the uid of 0. Python issue #13706 closed "not a bug"
reads to "just use os.stat()", so we went to great
lengths to do so quite exhaustively.

But this is wrong -- *only* when root, should we check
the file modes -- os.access of X_OK works perfectly
fine for non-root users.

And, we should only check if any of the executable bits
are set.  Alas, it is true, you may execute that which
you may not read -- because as root, you can always read
it anyway.

Verified similar solution in NetBSD test.c (/bin/test),
OpenBSD ksh for its built-in test, and what FreeBSD/Darwin
for their implementation of which.c.
abramley added a commit to Tesora/tesora-trove that referenced this issue Jan 5, 2015
@abramley
Override the version of pexepect that we are loading.
aa14820 
It appears there was a regression in pexpect 3.3 that broke
various sudo commands on centos
See:
pexpect/pexpect#104

For now we will just prevent it from loading 3.3 in our
requirements.txt but we may need to fix this better in the
future
openstack-gerrit pushed a commit to openstack/requirements that referenced this issue Jan 27, 2015
@abramley
Avoid using pexpect version 3.3
bfd194f 
A regressions was introduced in pexpect version
3.3 which causes problems running commands under
sudo on certain platforms.

See: pexpect/pexpect#104
for more information.

This regression has been resolved but not yet
released.

Change-Id: I09de87f04595a9ee7e6ce50724add8593215a043
openstack-gerrit pushed a commit to openstack/openstack that referenced this issue Jan 27, 2015
@openstack-gerrit
Updated openstack/openstack
f9e04f5 
Project: openstack/requirements  162542e1917de7cbb52b89ba4feec59f958684a0

Avoid using pexpect version 3.3

A regressions was introduced in pexpect version
3.3 which causes problems running commands under
sudo on certain platforms.

See: pexpect/pexpect#104
for more information.

This regression has been resolved but not yet
released.

Change-Id: I09de87f04595a9ee7e6ce50724add8593215a043
openstack-gerrit pushed a commit to openstack/openstack that referenced this issue Jan 27, 2015
@openstack-gerrit
Updated openstack/openstack
164a9a7 
Project: openstack/requirements  162542e1917de7cbb52b89ba4feec59f958684a0

Avoid using pexpect version 3.3

A regressions was introduced in pexpect version
3.3 which causes problems running commands under
sudo on certain platforms.

See: pexpect/pexpect#104
for more information.

This regression has been resolved but not yet
released.

Change-Id: I09de87f04595a9ee7e6ce50724add8593215a043
@egrim
Copy link

egrim commented Aug 12, 2015

Here's an alternative workaround to get sudo working for anyone else running into this:

pexpect.which, original_which = (lambda filename: '/usr/bin/sudo' if filename in ('sudo', '/usr/bin/sudo') else original_which(filename),
                                 pexpect.which)

@jquast
Copy link
Member

jquast commented Sep 21, 2015

Fixed in upcoming 4.0 release by #106. #106 was earmarked for release 3.4 which was meant to be release but did not happen for some unfortunate reason, submitted PR #257 to avoid such release confusion.

Hope to have 4.0 out soon, just awaiting @takluyver's approval of pending PR's and his publish ok.

@jquast jquast closed this as completed Sep 21, 2015
@jquast jquast mentioned this issue Sep 21, 2015
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jquast jquast

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@egrim @cchiu1 @jquast