Bug 849452 - RFE: scl sudo subcommand or equivalent
Summary: RFE: scl sudo subcommand or equivalent
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Developer Toolset
Classification: Red Hat
Component: scl-utils
Version: unspecified
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: alpha
: 1.1
Assignee: Frank Ch. Eigler
QA Contact: Tomas Dohnalek
URL:
Whiteboard:
Depends On:
Blocks: 852031
TreeView+ depends on / blocked
 
Reported: 2012-08-19 15:17 UTC by Frank Ch. Eigler
Modified: 2016-03-21 21:16 UTC (History)
8 users (show)

Fixed In Version: devtoolset-1.1-12.el[56]
Doc Type: Enhancement
Doc Text:
No documentation needed
Clone Of:
: 852031 (view as bug list)
Environment:
Last Closed: 2013-01-22 14:36:28 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
sudo wrapper, now with More Quoting (tm) (306 bytes, text/plain)
2012-10-23 15:13 UTC, Frank Ch. Eigler
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2013:0175 0 normal SHIPPED_LIVE new packages: devtoolset-1.1 2013-01-22 19:32:51 UTC

Description Frank Ch. Eigler 2012-08-19 15:17:32 UTC
Some scl-managed packages include privileged services that need the occasional sudo operation to do their job.  But since sudo clears environment variables such as LD_LIBRARY_PATH or similar, which may be set by the scl /enable file, plain sudo doesn't do the right thing.

It would be desirable to have an operation like
% scl sudo SCL COMMAND ARGS ARGS
that just wraps 'sudo scl enable SCL 'COMMAND ARGS ARGS'

One motivation for doing it this way is an unfortunate aspect of the scl enable design: the command and parameters are to be squished into a single string (like sh -c), instead of being ordinary argv[] entries as per sudo, ssh, or sh.  It
would be convenient to have a variant with tastier syntactic sugar:
% scl exec SCL COMMAND ARGS ARGS ...
that expanded to basically
% scl enable SCL 'COMMAND ARGS ARGS ...'

(Note that, because of the sudo environment filtering, this wouldn't be sufficient for sudo wrapping.  For that, another operation could do:

% scl nest SCL COMMAND ARGS ARGS ...
expanding to
% COMMAND scl exec SCL ARGS ARGS ...

Comment 2 Jindrich Novy 2012-08-20 08:28:50 UTC
IMO the easiest solution would be to use wrapper script in case of more complicated scl invocation or in case that privilege escalation is needed. In case of privilege escalation one can even better fine-grain ACL file attributes of the script or modify SELinux context.

Note that even the current scl invocation allows you to run custom scripts from /opt/rh/<collection>/ path. Currently only 'enable' scriptlet is mandatory. Your use case can be handled by creating, say 'sudo_enable' scriptlet in case that scl passes the command to be executed by a shell variable, such as $SCL_COMMAND. In that case you can do:

. enable
sudo $SCL_COMMAND

in the sudo_enable scriptlet and the command can then be executed with privileges escalated like:

scl sudo_enable SCL COMMAND ARGS ARGS ...

Comment 3 Frank Ch. Eigler 2012-08-20 13:37:49 UTC
The sudo_enable idea wouldn't work exactly like that, because after
   . enable
loads the various environment variables,
   sudo $SCL_COMMAND
proceeds to cleanse the environment.

I'm currently experimenting with a $SCL_ROOT/root/usr/bin/sudo wrapper script.

Comment 4 Frank Ch. Eigler 2012-08-20 15:22:34 UTC
The sudo wrapper script idea appears to work: I'll plop it into the devtoolset-1.1 rpm in the next respin.  (Is there a bugzilla component for it?)

Comment 6 Tomas Dohnalek 2012-10-23 14:26:55 UTC
This wrapper fails in this situation:

[root@ibm-l4b-lp1]# scl_enabled && echo "ok"
ok
[root@ibm-l4b-lp1]# echo 5 | /usr/bin/sudo cat
5
[root@ibm-l4b-lp1]# echo 5 | sudo cat
[root@ibm-l4b-lp1]#

Comment 7 Frank Ch. Eigler 2012-10-23 14:42:07 UTC
Experimented with passing the stdin file descriptor across sudo using 

exec 4<&0
echo "$@ <&4" | exec /usr/bin/sudo -E -C5 scl enable devtoolset-1.1 -

but sudo -C* is prohibited in default sudo configurations.  Experimenting...

(A native "scl sudo devtoolset-1.1 COMMAND ARGS..." seems handier every day.)

Comment 8 Frank Ch. Eigler 2012-10-23 15:13:16 UTC
Created attachment 632150 [details]
sudo wrapper, now with More Quoting (tm)

Comment 11 Frank Ch. Eigler 2012-11-26 16:23:21 UTC
Martin, the other bit I'd test is the proper passage of the DTS environment variables.  e.g.,  .../devtoolset-1.1/.../sudo env should show the devtoolset paths etc. set.

Comment 15 errata-xmlrpc 2013-01-22 14:36:28 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2013-0175.html

Comment 16 Martin Langhoff 2016-03-21 21:16:44 UTC
This borks sudo! See #1319936 .


Note You need to log in before you can comment on or make changes to this bug.