[sudo-users] NOPASSWD rules prompt for a password when run non-interactively

Bob Proulx bob at proulx.com
Sun Apr 23 12:08:09 EDT 2006 

Graham Binns wrote:
> I'm using sudo as part of a subversion repository. When a commit is
> made to the repository, the repository's post-commit script runs and
> updates a working copy of that repository. In order to do that
> successfully the update command is run via sudo, with the command run
> as the user that owns the repository.

I am doing this very same thing with several installations.

> %svnusers ALL=(subversion) NOPASSWD: /usr/bin/svn

I am not doing this.  Since subversion post-commit hook scripts are
executed after the commit has taken place I don't think it needs to
restrict updating to a particular user.  That is, if the permissions
allowed a svn commit then just update the live repository.

Because otherwise you would need to keep the %svnusers and the group
of users that can commit to subversion in sync.  That would be
maintaining the same list in two different places.

> visudo tells me that this is fine and good and everything appears to
> work. If I run the svn update command from the terminal, thus:
> sudo -u subversion svn update <filename>
> Then everything works.

I am wondering if you also have additional sudoers permissions for
yourself such that when you are testing this that you are hitting a
different rule than this one.  I have stumbled on that myself.  I have
full permissions.  I test a rule intending to check someone else's
permissions.  But I end up invoking my extra full permissions instead.

> However, when I run the command through the post-commit script - and
> therefore non-interactively (as I see it anyway; the script is invoked
> by the subversion process once the commit is complete) sudo prompts
> for a password. I know this because, as debugging data, I am
> redirecting STOUT and STERR to files in order to watch what is going
> on. If I specify a password prompt that includes the name of the
> invoking and runas users, e.g.:

Can you also log the $(whoami), $(id), $(groups) user name and groups
to be able to verify that you are running it as the user you expect?
More importantly that the user at that time includes the subversion
group that you have configured for it?  It may be the user you expect
but not include the group at that moment.  It depends upon how the
process was created.

How are you accessing your svn repository?  If by svn+ssh:// then you
will be the user of course.  But if by https:// then most web servers
run as user www-data or some such.  But I am sure you already know
this.

> sudo -u subversion -p %u:%U svn update <filename>
> 
> Then I see the correct usernames both before and after the :.
> 
> Can anyone tell me why I'm being asked for a password, or at least
> point me in the right direction?

I suggest avoiding this problem entirely.  Don't restrict running this
command to only a list of svn committers.  Let the svn permissions
handle that part.  Then allow ALL for the user to run a post-commit
update of the current view of your repository.

  ALL ALL=(subversion) NOPASSWD: /root/bin/svn-post-commit

In the post-commit script:

  sudo /root/bin/websvn-commit-hook

Where /root/bin/websvn-commit-hook is an example but may contain this for
example:

  #!/bin/sh
  cd /srv/www || exit 1
  svn update --quiet
  exit 0

Because I don't think you really want to give away all permissions for
svn but just for the task that you want to have happen here.  In my
example the task is updating the current web directory being held in
subversion.  It won't hurt if someone runs that outside the
post-commit hook so don't work to dissallow it.

Hope this helps,
Bob

More information about the sudo-users mailing list