vagrant-lxc-ng/lib/vagrant-lxc/command/sudoers.rb

require 'tempfile'

require "vagrant-lxc/driver"
require "vagrant-lxc/sudo_wrapper"

module Vagrant
  module LXC
    module Command
      class Sudoers < Vagrant.plugin("2", :command)

        def initialize(argv, env)
          super
          @argv
          @env = env
        end

        def execute
          options = { user: ENV['USER'] }

          opts = OptionParser.new do |opts|
            opts.banner = "Usage: vagrant lxc sudoers"
            opts.separator ""
            opts.on('-u user', '--user user', String, "The user for which to create the policy (defaults to '#{options[:user]}')") do |u|
              options[:user] = u
            end
          end

          argv = parse_options(opts)
          return unless argv

          wrapper_path = SudoWrapper.dest_path
          wrapper = create_wrapper!
          sudoers = create_sudoers!(options[:user], wrapper_path)

          su_copy([
            {source: wrapper, target: wrapper_path, mode: "0555"},
            {source: sudoers, target: sudoers_path, mode: "0440"}
          ])
        end

        def sudoers_path
          "/etc/sudoers.d/vagrant-lxc"
        end

        private

        # This requires vagrant 1.5.2+ https://github.com/mitchellh/vagrant/commit/3371c3716278071680af9b526ba19235c79c64cb
        def create_wrapper!
          lxc_base_path = Driver.new("").containers_path
          wrapper = Tempfile.new('lxc-wrapper').tap do |file|
            template = Vagrant::Util::TemplateRenderer.new(
              'sudoers.rb',
              :template_root  => Vagrant::LXC.source_root.join('templates').to_s,
              :cmd_paths      => build_cmd_paths_hash,
              :lxc_base_path  => lxc_base_path,
              :pipework_regex => "#{ENV['HOME']}/\.vagrant\.d/gems/(?:\\d+?\\.\\d+?\\.\\d+?/)?gems/vagrant-lxc.+/scripts/pipework"
            )
            file.puts template.render
          end
          wrapper.close
          wrapper.path
        end

        def create_sudoers!(user, command)
          sudoers = Tempfile.new('vagrant-lxc-sudoers').tap do |file|
            file.puts "# Automatically created by vagrant-lxc"
            file.puts "#{user} ALL=(root) NOPASSWD: #{command}"
          end
          sudoers.close
          sudoers.path
        end

        def su_copy(files)
          commands = files.map { |file|
            [
              "rm -f #{file[:target]}",
              "cp #{file[:source]} #{file[:target]}",
              "chown root:root #{file[:target]}",
              "chmod #{file[:mode]} #{file[:target]}"
            ]
          }.flatten
          system "echo \"#{commands.join("; ")}\" | sudo sh"
        end

        def build_cmd_paths_hash
          {}.tap do |hash|
            %w( which cat mkdir cp chown chmod rm tar chown ip ifconfig brctl ).each do |cmd|
              hash[cmd] = `sudo which #{cmd}`.strip
            end
            hash['lxc_bin'] = Pathname(`sudo which lxc-create`.strip).parent.to_s
            hash['ruby'] = Gem.ruby
          end
        end
      end
    end
  end
end
Created an "lxc sudoers" command to create sudoers file for a given user (defaults to current one). 2014-03-16 17:59:18 +00:00			`require 'tempfile'`

Support alternative lxcpath in sudo wrapper The previously hardcoded lxc path prevented the sudo wrapper from working in environment with alternative `lxcpath`. I had to move `sudo_wrapper` from `provider` to `LXC` because the concept of "provider" is tied to a machine when a command sush as `sudoers` is not. Fixes #413 and #399 2017-12-11 16:48:19 +00:00			`require "vagrant-lxc/driver"`
Refactoring: make SudoWrapper a bit more self-contained By looking at the code, it seems that it was a goal to make the sudo wrapper path configurable through the Vagrantfile, but it wasn't effective and didn't make much sense (that kind of config is a per-host config, not a per-guest one). This caused the cause to be needlessly complex by giving the Provider the responsibility of instanciating the wrapper. This commit gets rid of that. I didn't get rid of `sudo_wrapper` injection in `Driver` and `Driver::CLI` constructors because they're needed for tests. I'm not ready to tackle this yet. 2017-12-13 21:35:16 +00:00			`require "vagrant-lxc/sudo_wrapper"`
Support alternative lxcpath in sudo wrapper The previously hardcoded lxc path prevented the sudo wrapper from working in environment with alternative `lxcpath`. I had to move `sudo_wrapper` from `provider` to `LXC` because the concept of "provider" is tied to a machine when a command sush as `sudoers` is not. Fixes #413 and #399 2017-12-11 16:48:19 +00:00
Created an "lxc sudoers" command to create sudoers file for a given user (defaults to current one). 2014-03-16 17:59:18 +00:00			`module Vagrant`
			`module LXC`
			`module Command`
			`class Sudoers < Vagrant.plugin("2", :command)`
sudoers command now creates a safe wrapper script. Sudoers now creates a safe wrapper script that performs sanity checks on sudo : * wrapper generated in /usr/local/bin (name includes version to allow multiple wrappers on the same system) * sudoers command now generates a one-line file in /etc/sudoers.d * SudoWrapper use the new wrapper * Removed unused Config#validate method 2014-04-08 17:58:07 +00:00
			`def initialize(argv, env)`
			`super`
Fix argument parsing 2014-04-23 14:27:33 +00:00			`@argv`
sudoers command now creates a safe wrapper script. Sudoers now creates a safe wrapper script that performs sanity checks on sudo : * wrapper generated in /usr/local/bin (name includes version to allow multiple wrappers on the same system) * sudoers command now generates a one-line file in /etc/sudoers.d * SudoWrapper use the new wrapper * Removed unused Config#validate method 2014-04-08 17:58:07 +00:00			`@env = env`
			`end`

Created an "lxc sudoers" command to create sudoers file for a given user (defaults to current one). 2014-03-16 17:59:18 +00:00			`def execute`
command/sudoers: Nitpick * Use Ruby 1.9+ hash syntax * Use % as the BOXES placeholder as it is the same symbol used for I18n placeholders as well 2014-03-21 22:48:34 +00:00			`options = { user: ENV['USER'] }`
Created an "lxc sudoers" command to create sudoers file for a given user (defaults to current one). 2014-03-16 17:59:18 +00:00
			`opts = OptionParser.new do \|opts\|`
			`opts.banner = "Usage: vagrant lxc sudoers"`
			`opts.separator ""`
Fix argument parsing 2014-04-23 14:27:33 +00:00			`opts.on('-u user', '--user user', String, "The user for which to create the policy (defaults to '#{options[:user]}')") do \|u\|`
command/sudoers: Mention what is the default value for the user and add a REFACTOR note 2014-03-21 22:53:49 +00:00			`options[:user] = u`
Created an "lxc sudoers" command to create sudoers file for a given user (defaults to current one). 2014-03-16 17:59:18 +00:00			`end`
			`end`

			`argv = parse_options(opts)`
			`return unless argv`

sudoers: fix typo fixes #451 2018-01-16 02:17:36 +00:00			`wrapper_path = SudoWrapper.dest_path`
sudoers command now creates a safe wrapper script. Sudoers now creates a safe wrapper script that performs sanity checks on sudo : * wrapper generated in /usr/local/bin (name includes version to allow multiple wrappers on the same system) * sudoers command now generates a one-line file in /etc/sudoers.d * SudoWrapper use the new wrapper * Removed unused Config#validate method 2014-04-08 17:58:07 +00:00			`wrapper = create_wrapper!`
			`sudoers = create_sudoers!(options[:user], wrapper_path)`

			`su_copy([`
			`{source: wrapper, target: wrapper_path, mode: "0555"},`
			`{source: sudoers, target: sudoers_path, mode: "0440"}`
			`])`
			`end`

			`def sudoers_path`
Remove version suffix from generated sudoers commands 2014-09-23 02:07:12 +00:00			`"/etc/sudoers.d/vagrant-lxc"`
Created an "lxc sudoers" command to create sudoers file for a given user (defaults to current one). 2014-03-16 17:59:18 +00:00			`end`

			`private`
command/sudoers: Move wrapper string out to a template and use the full path to the scripts in order to make things work properly across different distros Closes GH-304 Closes GH-305 2014-07-25 00:50:24 +00:00
			`# This requires vagrant 1.5.2+ https://github.com/mitchellh/vagrant/commit/3371c3716278071680af9b526ba19235c79c64cb`
sudoers command now creates a safe wrapper script. Sudoers now creates a safe wrapper script that performs sanity checks on sudo : * wrapper generated in /usr/local/bin (name includes version to allow multiple wrappers on the same system) * sudoers command now generates a one-line file in /etc/sudoers.d * SudoWrapper use the new wrapper * Removed unused Config#validate method 2014-04-08 17:58:07 +00:00			`def create_wrapper!`
Refactoring: make SudoWrapper a bit more self-contained By looking at the code, it seems that it was a goal to make the sudo wrapper path configurable through the Vagrantfile, but it wasn't effective and didn't make much sense (that kind of config is a per-host config, not a per-guest one). This caused the cause to be needlessly complex by giving the Provider the responsibility of instanciating the wrapper. This commit gets rid of that. I didn't get rid of `sudo_wrapper` injection in `Driver` and `Driver::CLI` constructors because they're needed for tests. I'm not ready to tackle this yet. 2017-12-13 21:35:16 +00:00			`lxc_base_path = Driver.new("").containers_path`
sudoers command now creates a safe wrapper script. Sudoers now creates a safe wrapper script that performs sanity checks on sudo : * wrapper generated in /usr/local/bin (name includes version to allow multiple wrappers on the same system) * sudoers command now generates a one-line file in /etc/sudoers.d * SudoWrapper use the new wrapper * Removed unused Config#validate method 2014-04-08 17:58:07 +00:00			`wrapper = Tempfile.new('lxc-wrapper').tap do \|file\|`
command/sudoers: Move wrapper string out to a template and use the full path to the scripts in order to make things work properly across different distros Closes GH-304 Closes GH-305 2014-07-25 00:50:24 +00:00			`template = Vagrant::Util::TemplateRenderer.new(`
			`'sudoers.rb',`
Experimental support for private networking [GH-298] 2015-01-11 22:59:38 +00:00			`:template_root => Vagrant::LXC.source_root.join('templates').to_s,`
			`:cmd_paths => build_cmd_paths_hash,`
Support alternative lxcpath in sudo wrapper The previously hardcoded lxc path prevented the sudo wrapper from working in environment with alternative `lxcpath`. I had to move `sudo_wrapper` from `provider` to `LXC` because the concept of "provider" is tied to a machine when a command sush as `sudoers` is not. Fixes #413 and #399 2017-12-11 16:48:19 +00:00			`:lxc_base_path => lxc_base_path,`
Update pipework regexp for sudo wrapper On Vagrant 1.9+ plugin gems are installed into a different folder, their path containing the ruby version. This updates the regular expression whitelisting the pipework script to reflect this change. 2017-02-07 20:40:32 +00:00			`:pipework_regex => "#{ENV['HOME']}/\.vagrant\.d/gems/(?:\\d+?\\.\\d+?\\.\\d+?/)?gems/vagrant-lxc.+/scripts/pipework"`
command/sudoers: Move wrapper string out to a template and use the full path to the scripts in order to make things work properly across different distros Closes GH-304 Closes GH-305 2014-07-25 00:50:24 +00:00			`)`
			`file.puts template.render`
sudoers command now creates a safe wrapper script. Sudoers now creates a safe wrapper script that performs sanity checks on sudo : * wrapper generated in /usr/local/bin (name includes version to allow multiple wrappers on the same system) * sudoers command now generates a one-line file in /etc/sudoers.d * SudoWrapper use the new wrapper * Removed unused Config#validate method 2014-04-08 17:58:07 +00:00			`end`
			`wrapper.close`
			`wrapper.path`
			`end`
command/sudoers: Mention what is the default value for the user and add a REFACTOR note 2014-03-21 22:53:49 +00:00
sudoers command now creates a safe wrapper script. Sudoers now creates a safe wrapper script that performs sanity checks on sudo : * wrapper generated in /usr/local/bin (name includes version to allow multiple wrappers on the same system) * sudoers command now generates a one-line file in /etc/sudoers.d * SudoWrapper use the new wrapper * Removed unused Config#validate method 2014-04-08 17:58:07 +00:00			`def create_sudoers!(user, command)`
			`sudoers = Tempfile.new('vagrant-lxc-sudoers').tap do \|file\|`
			`file.puts "# Automatically created by vagrant-lxc"`
command/sudoers: Remove Cmnd_Alias from sudoers file Since the wrapper is versioned, we would end up having multiple `LXC` command aliases, making `sudo` unusable: ``` >>> /etc/sudoers.d/vagrant-lxc-1-0-0-alpha-3-dev: Alias `LXC' already >>> defined near line 2 <<< sudo: parse error in /etc/sudoers.d/vagrant-lxc-1-0-0-alpha-3-dev near line 2 sudo: no valid sudoers sources found, quitting sudo: unable to initialize policy plugin ``` 2014-06-09 02:44:02 +00:00			`file.puts "#{user} ALL=(root) NOPASSWD: #{command}"`
Created an "lxc sudoers" command to create sudoers file for a given user (defaults to current one). 2014-03-16 17:59:18 +00:00			`end`
			`sudoers.close`
			`sudoers.path`
			`end`

sudoers command now creates a safe wrapper script. Sudoers now creates a safe wrapper script that performs sanity checks on sudo : * wrapper generated in /usr/local/bin (name includes version to allow multiple wrappers on the same system) * sudoers command now generates a one-line file in /etc/sudoers.d * SudoWrapper use the new wrapper * Removed unused Config#validate method 2014-04-08 17:58:07 +00:00			`def su_copy(files)`
			`commands = files.map { \|file\|`
			`[`
			`"rm -f #{file[:target]}",`
			`"cp #{file[:source]} #{file[:target]}",`
			`"chown root:root #{file[:target]}",`
			`"chmod #{file[:mode]} #{file[:target]}"`
			`]`
			`}.flatten`
			`system "echo \"#{commands.join("; ")}\" \| sudo sh"`
Created an "lxc sudoers" command to create sudoers file for a given user (defaults to current one). 2014-03-16 17:59:18 +00:00			`end`
command/sudoers: Move wrapper string out to a template and use the full path to the scripts in order to make things work properly across different distros Closes GH-304 Closes GH-305 2014-07-25 00:50:24 +00:00
			`def build_cmd_paths_hash`
			`{}.tap do \|hash\|`
Experimental support for private networking [GH-298] 2015-01-11 22:59:38 +00:00			`%w( which cat mkdir cp chown chmod rm tar chown ip ifconfig brctl ).each do \|cmd\|`
vagrant-lxc-wrapper need to allow sudoer first-found binary path sudoer PATH may have different order than current user 2016-05-11 18:21:26 +00:00			hash[cmd] = `sudo which #{cmd}`.strip
command/sudoers: Move wrapper string out to a template and use the full path to the scripts in order to make things work properly across different distros Closes GH-304 Closes GH-305 2014-07-25 00:50:24 +00:00			`end`
vagrant-lxc-wrapper need to allow sudoer first-found binary path sudoer PATH may have different order than current user 2016-05-11 18:21:26 +00:00			hash['lxc_bin'] = Pathname(`sudo which lxc-create`.strip).parent.to_s
vagrant-lxc-wrapper: Use correct ruby interpreter Previously, we hardcoded to using the ruby binary in /opt/vagrant[..]. On some systems, this path is incorrect, so instead we use the path of the interpreter that is executing the `vagrant lxc sudoers` command. 2015-03-19 23:21:57 +00:00			`hash['ruby'] = Gem.ruby`
command/sudoers: Move wrapper string out to a template and use the full path to the scripts in order to make things work properly across different distros Closes GH-304 Closes GH-305 2014-07-25 00:50:24 +00:00			`end`
			`end`
Created an "lxc sudoers" command to create sudoers file for a given user (defaults to current one). 2014-03-16 17:59:18 +00:00			`end`
			`end`
			`end`
			`end`