Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cmd.run runas does not properly change user on macOS #43185

Closed
odormond opened this issue Aug 25, 2017 · 5 comments
Closed

cmd.run runas does not properly change user on macOS #43185

odormond opened this issue Aug 25, 2017 · 5 comments
Labels
Bug broken, incorrect, or confusing behavior P3 Priority 3 Platform Relates to OS, containers, platform-based utilities like FS, system based apps severity-medium 3rd level, incorrect or bad functionality, confusing and lacks a work around stale
Milestone
Approved

Comments

@odormond
Copy link

Description of Issue/Question

On macOS, tools like https://github.com/mas-cli/mas, uses some Apple specific internal call to get user specific informations. When invoked through cmd.run with the runas option set, they will not get the correct user specific data.

The problem can be pinpointed to the use of sudo instead of su as it can be reproduced directly with these two without involving salt at all (assuming testuser is logged into the AppStore and root is not):

mac-minion:~ root# sudo -i -u testuser /usr/local/bin/mas account
Not signed in
Error: Not signed in
mac-minion:~ root# su - testuser -c '/usr/local/bin/mas account'
testuser@example.com

Setup

On the mac minion, install https://github.com/mas-cli/mas and log in as testuser. Do a mas signin testuser@example.com t3stPassw0rd.

Steps to Reproduce Issue

Actual behavior:

root@salt-master:~# salt mac-minion cmd.run '/usr/local/bin/mas account' runas=testuser
mac-minion:
    Not signed in
    Warning: Not signed in
ERROR: Minions returned with non-zero exit code

Expected behavior:

root@salt-master:~# salt mac-minion cmd.run '/usr/local/bin/mas account' runas=testuser
mac-minion:
    testuser@example.com

The expected result can be obtained with this workaround:

root@salt-master:~# salt mac-minion cmd.run "su - testuser -c '/usr/local/bin/mas account'"
mac-minion:
    testuser@example.com

Versions Report

==== master ====

Salt Version:
Salt: 2016.11.5

Dependency Versions:
cffi: Not Installed
cherrypy: Not Installed
dateutil: Not Installed
docker-py: Not Installed
gitdb: 0.6.4
gitpython: 1.0.1
ioflo: Not Installed
Jinja2: 2.9.6
libgit2: Not Installed
libnacl: Not Installed
M2Crypto: Not Installed
Mako: Not Installed
msgpack-pure: Not Installed
msgpack-python: 0.4.8
mysql-python: Not Installed
pycparser: Not Installed
pycrypto: 2.6.1
pycryptodome: Not Installed
pygit2: Not Installed
Python: 2.7.12 (default, Nov 19 2016, 06:48:10)
python-gnupg: Not Installed
PyYAML: 3.12
PyZMQ: 16.0.2
RAET: Not Installed
smmap: 0.9.0
timelib: Not Installed
Tornado: 4.5.1
ZMQ: 4.1.6

System Versions:
dist: Ubuntu 16.04 xenial
machine: x86_64
release: 4.8.0-1-amd64
system: Linux
version: Ubuntu 16.04 xenial

==== minion ====

Salt Version:
Salt: 2016.11.5

Dependency Versions:
cffi: Not Installed
cherrypy: Not Installed
dateutil: Not Installed
docker-py: Not Installed
gitdb: 0.6.4
gitpython: 1.0.1
ioflo: Not Installed
Jinja2: 2.9.6
libgit2: Not Installed
libnacl: Not Installed
M2Crypto: Not Installed
Mako: Not Installed
msgpack-pure: Not Installed
msgpack-python: 0.4.8
mysql-python: Not Installed
pycparser: Not Installed
pycrypto: 2.6.1
pycryptodome: Not Installed
pygit2: Not Installed
Python: 2.7.12 (default, Nov 19 2016, 06:48:10)
python-gnupg: Not Installed
PyYAML: 3.12
PyZMQ: 16.0.2
RAET: Not Installed
smmap: 0.9.0
timelib: Not Installed
Tornado: 4.5.1
ZMQ: 4.1.6

System Versions:
dist: Ubuntu 16.04 xenial
machine: x86_64
release: 4.8.0-1-amd64
system: Linux
version: Ubuntu 16.04 xenial
@gtmanfred
Copy link
Contributor

Would you mind submitting a PR for the salt/modules/cmdmod.py change?

            if __grains__['os'] in ['MacOS', 'Darwin']:
                env_cmd = ('sudo', '-i', '-u', runas, '--',
                           sys.executable)

Thanks,
Daniel

@gtmanfred gtmanfred added Bug broken, incorrect, or confusing behavior severity-medium 3rd level, incorrect or bad functionality, confusing and lacks a work around P3 Priority 3 Platform Relates to OS, containers, platform-based utilities like FS, system based apps labels Aug 25, 2017
@gtmanfred gtmanfred added this to the Approved milestone Aug 25, 2017
@weswhet
Copy link
Contributor

weswhet commented Sep 29, 2017

I believe the proposed change will also fix an issue i've noticed where salt has a difficult time trying to load LaunchAgents as a user. I'll try to file the PR next week.

@gtmanfred
Copy link
Contributor

Thanks!
Daniel

@weswhet
Copy link
Contributor

weswhet commented Mar 1, 2018

looks like tweaking
env_cmd = ('sudo', '-i', '-u', runas, '--', sys.executable)
to
env_cmd = ('su', '-', runas, '-c', sys.executable)
doesn't fix this. And honestly i'm a little stumped on how to fix this. In its current state running anything as a user on macOS from root is not working properly. Any thoughts or ideas would be great.

@weswhet weswhet mentioned this issue Apr 20, 2018
Merged
@cdalvaro cdalvaro mentioned this issue Dec 29, 2018
Closed
@stale
Copy link

stale bot commented Jun 14, 2019

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue.

@stale stale bot added the stale label Jun 14, 2019
@stale stale bot closed this as completed Jun 21, 2019
@bryceml bryceml mentioned this issue Jul 15, 2019
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug broken, incorrect, or confusing behavior P3 Priority 3 Platform Relates to OS, containers, platform-based utilities like FS, system based apps severity-medium 3rd level, incorrect or bad functionality, confusing and lacks a work around stale
Projects
None yet
Milestone
Approved
Development

No branches or pull requests
3 participants
@gtmanfred @odormond @weswhet