From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:470:142:3::10]:60272) by lists.gnu.org with esmtp (Exim 4.86_2) (envelope-from ) id 1hvSTv-0000SA-Rh for guix-patches@gnu.org; Wed, 07 Aug 2019 16:24:43 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hvSTa-0000xW-HH for guix-patches@gnu.org; Wed, 07 Aug 2019 16:24:23 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:58920) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1hvSTa-0000wa-DR for guix-patches@gnu.org; Wed, 07 Aug 2019 16:24:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1hvSTa-00054F-85 for guix-patches@gnu.org; Wed, 07 Aug 2019 16:24:02 -0400 Subject: [bug#36957] [PATCH] machine: Allow non-root users to deploy. Resent-Message-ID: From: zerodaysfordays@sdf.lonestar.org (Jakob L. Kreuze) References: <87a7cl3zyy.fsf@sdf.lonestar.org> <878ss4yiq0.fsf@elephly.net> <877e7opz01.fsf@dustycloud.org> Date: Wed, 07 Aug 2019 16:20:37 -0400 In-Reply-To: <877e7opz01.fsf@dustycloud.org> (Christopher Lemmer Webber's message of "Wed, 07 Aug 2019 15:17:22 -0400") Message-ID: <87wofolobu.fsf@sdf.lonestar.org> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: Christopher Lemmer Webber , Ricardo Wurmus Cc: 36957@debbugs.gnu.org --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hi Ricardo and Chris, Ricardo Wurmus writes: > Hi Jakob, > > I haven=E2=80=99t yet looked over the patches, but when I saw that it men= tions > =E2=80=9Csudo=E2=80=9D I wondered: is it feasible to support =E2=80=9Csu= =E2=80=9D with interactive (or > cached) password input as well? I believe so. This would require two additions: =2D Code to interact with the 'su' prompt. =2D Some way for 'managed-host-environment-type' to obtain root's password, which I imagine would be either a prompt or a field in the configuration record. On the latter addition, I've experimented a bit with both possibilities (albeit for a password-authenticated sudo). Prompting the user for a password feels like a bad idea because then deployments wouldn't really be automated, and we would have to do some sort of thread synchronization when parallel deployments are implemented so we don't mess up the TTY. I could get behind a 'password' field for 'managed-host-environment-type' (and then if users want a prompt they can just call out to 'getpass'), but again, we'd need code to interact with the 'su' prompt. Christopher Lemmer Webber writes: > Maybe a more important question: if this turns out to be desirable, is > there a path forward to add it later? If that's true, I'd suggest we > move forward with merging the patch and worry about how to add the > option at a future time. Yeah. A 'password' field with '(default #f)' shouldn't be too invasive. Aside from that, it would just involve adding the 'su' interaction code to the two procedures that spawn REPLs. Regards, Jakob --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEa1VJLOiXAjQ2BGSm9Qb9Fp2P2VoFAl1LMpUACgkQ9Qb9Fp2P 2VrN7A//S0AJo5vM8E0FpaOXrh5pOzHdJL2L4yhi5q4f0d5NZSPa+wNQVFlqJn84 IITMu07p9dIIma9/2BW/J9hdh7RQq1ls5xiHLS3SFBO5mQk07tbPpicgOKscBt8u klraMfeNYh5lIAKKAPgl+F8u3tUrnZId+gKtgiORSZo3sIvtEV3U2ZwXFhbS9DHr fZgpZCFh4Pvd6kB1g9iPV7Uq1FztrTQUYYFAUs0lzA3hhjfGXlGiRG8/3sF7ryxc TaKOJpKOIlI4p2WvpvAGrAlEouIFt9yqGftgxyc98NNU0x2NzPnb72Vm8Emsyw/a sBfFocOFdnIkrKqWdoa2LQlNlIkYOE4G+XYfagtBfPdLCSF6aqI79Zy0GX2DK4Vn qSP1zYgV70QntqdgdGJCSsF/7HXhUX4PktVZFKrzHZ4PVEmEPguo9JnG/QLo1BaQ KAuumF08D8KEow/xaa/1Gt60mW+q2SyplA27xqIb+qrftT0UMJy9bfUL/v+AQJEG Dbr3eKQvp+KkVWdUz5Vjd/g1MmscVuBU6BlAJAsgT/eNAPdBlgmiYUSBCcMO+sez Mg1zmI6BGYP6KQ97Fa6ZaJ0UuDwfCjv1/6x2MbGvv+VlYplyMUJ2nUzctL9q+1zS PVFs5BEXQacgnvRpqiJX1M5gb5wAOsQ6HP4Nolhql9//oxjEfi4= =/vEy -----END PGP SIGNATURE----- --=-=-=--