From 1b982da6b0f225d70e99e956c6fe9d910cc430bb Mon Sep 17 00:00:00 2001 From: Sean Whitton Date: Sun, 30 May 2021 09:51:28 -0700 Subject: :SUDO: preserve SSH_AUTH_SOCK when sudoing to root Signed-off-by: Sean Whitton --- src/connection/sudo.lisp | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) (limited to 'src/connection') diff --git a/src/connection/sudo.lisp b/src/connection/sudo.lisp index 7896761..fc92c3f 100644 --- a/src/connection/sudo.lisp +++ b/src/connection/sudo.lisp @@ -60,10 +60,21 @@ (and value (passphrase value)))) (defmethod connection-shell-wrap ((connection sudo-connection) cmd) - ;; wrap in sh -c so that it is more likely we are either asked for a - ;; password for all our commands or not asked for one for any - (format nil "sudo -HkS --prompt=\"\" --user=~A sh -c ~A" - (connection-connattr connection :remote-user) (escape-sh-token cmd))) + ;; Wrap in sh -c so that it is more likely we are either asked for a + ;; password for all our commands or not asked for one for any. + ;; + ;; Preserve SSH_AUTH_SOCK for root to enable this sort of workflow: deploy + ;; laptop using (:SUDO :SBCL) and then DEFHOST for laptop contains (DEPLOYS + ;; ((:SSH :TO "root")) ...) to deploy a VM running on the laptop. + ;; + ;; This only works for sudoing to root because only the superuser can access + ;; the socket (and was always able to, so we're not granting new access + ;; which may be unwanted). + (let ((user (connection-connattr connection :remote-user))) + (format + nil +"sudo -HkS --prompt=\"\" ~:[~;--preserve-env=SSH_AUTH_SOCK ~]--user=~A sh -c ~A" + (string= user "root") user (escape-sh-token cmd)))) (defmethod connection-run ((c sudo-connection) cmd (input null)) (call-next-method c cmd (get-sudo-password c))) -- cgit v1.2.3