diff options
author | Sean Whitton <spwhitton@spwhitton.name> | 2021-05-30 09:51:28 -0700 |
---|---|---|
committer | Sean Whitton <spwhitton@spwhitton.name> | 2021-05-30 10:05:00 -0700 |
commit | 1b982da6b0f225d70e99e956c6fe9d910cc430bb (patch) | |
tree | 9f202196b3785a5dd2a6012986963fbaa400220e /src/connection/sudo.lisp | |
parent | d9ac9152b59af5ba7c5696fb62db05b6d1b3425d (diff) | |
download | consfigurator-1b982da6b0f225d70e99e956c6fe9d910cc430bb.tar.gz |
:SUDO: preserve SSH_AUTH_SOCK when sudoing to root
Signed-off-by: Sean Whitton <spwhitton@spwhitton.name>
Diffstat (limited to 'src/connection/sudo.lisp')
-rw-r--r-- | src/connection/sudo.lisp | 19 |
1 files changed, 15 insertions, 4 deletions
diff --git a/src/connection/sudo.lisp b/src/connection/sudo.lisp index 7896761..fc92c3f 100644 --- a/src/connection/sudo.lisp +++ b/src/connection/sudo.lisp @@ -60,10 +60,21 @@ (and value (passphrase value)))) (defmethod connection-shell-wrap ((connection sudo-connection) cmd) - ;; wrap in sh -c so that it is more likely we are either asked for a - ;; password for all our commands or not asked for one for any - (format nil "sudo -HkS --prompt=\"\" --user=~A sh -c ~A" - (connection-connattr connection :remote-user) (escape-sh-token cmd))) + ;; Wrap in sh -c so that it is more likely we are either asked for a + ;; password for all our commands or not asked for one for any. + ;; + ;; Preserve SSH_AUTH_SOCK for root to enable this sort of workflow: deploy + ;; laptop using (:SUDO :SBCL) and then DEFHOST for laptop contains (DEPLOYS + ;; ((:SSH :TO "root")) ...) to deploy a VM running on the laptop. + ;; + ;; This only works for sudoing to root because only the superuser can access + ;; the socket (and was always able to, so we're not granting new access + ;; which may be unwanted). + (let ((user (connection-connattr connection :remote-user))) + (format + nil +"sudo -HkS --prompt=\"\" ~:[~;--preserve-env=SSH_AUTH_SOCK ~]--user=~A sh -c ~A" + (string= user "root") user (escape-sh-token cmd)))) (defmethod connection-run ((c sudo-connection) cmd (input null)) (call-next-method c cmd (get-sudo-password c))) |