Page MenuHomePhabricator

Cumin: allow running as non-root
Closed, ResolvedPublic

Description

Cumin version3.0.2
Python version3.5.3
Operating SystemDebian stretch 9.8

Issue:

Cumin currently checks its running user at startup to make sure it's running as root. Yet it seems to be perfectly capable of running as a regular user in my tests.

Is there any reason why Cumin shouldn't be runnable from regular users? It doesn't seem to give any additional privileges in itself: if a user doesn't have access to (say) the PuppetDB server or target SSH servers, Cumin won't work anyways...

I made this simple patch to disable the check:

https://github.com/anarcat/cumin/commit/95579eeeee34953e75f03cf81069a4347cb870de.patch

I'd be happy to submit it to Gerrit once I figure out how *that* works...

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 15 2019, 9:07 PM

As an extension to this, it would perhaps be necessary for Cumin to look in standards directories, like ~/.config/ (or maybe ~/.config/cumin) for its configuration file, otherwise root is still required to edit things in /etc/cumin/...

The current workaround is to set the environment variables that it checks like SUDO_USER=$USER USER=root cumin ... but I strongly agree with this feature request, as I've made a similar one :)

As an extension to this, it would perhaps be necessary for Cumin to look in standards directories, like ~/.config/ (or maybe ~/.config/cumin) for its configuration file, otherwise root is still required to edit things in /etc/cumin/...

+1

i managed to login to gerrit, but couldn't figure out how to push my patch for review:

anarcat@angela:cumin(user)$ git review -R -r origin
Problems encountered installing commit-msg hook
The following command failed with exit code 1
    "scp git@github.com:hooks/commit-msg .git/hooks/commit-msg"
-----------------------
Invalid command: 'scp -f hooks/commit-msg'
  You appear to be using ssh to clone a git:// URL.
  Make sure your core.gitProxy config option and the
  GIT_PROXY_COMMAND environment variable are NOT set.
-----------------------
[2]anarcat@angela:cumin(user)$ git rv
anarcat	git@github.com:anarcat/cumin.git (fetch)
anarcat	git@github.com:anarcat/cumin.git (push)
github	https://github.com/wikimedia/cumin/ (fetch)
github	https://github.com/wikimedia/cumin/ (push)
origin	ssh://anarcat@gerrit.wikimedia.org:29418/operations/software/cumin.git (fetch)
origin	ssh://anarcat@gerrit.wikimedia.org:29418/operations/software/cumin.git (push)

anyone knows WTH is going on here?

@TheAnarcat: Hi and thanks for your patch! :) Your output lists Github but we don't use Github for patch review. Did you clone via git clone ssh://yourusername@gerrit.wikimedia.org:29418/operations/software/cumin.git as described in the Gerrit tutorial?

TheAnarcat added a comment.EditedMar 18 2019, 2:21 PM

I did - as you can see, in the last command:

origin	ssh://anarcat@gerrit.wikimedia.org:29418/operations/software/cumin.git (push)

update: oh, i see: i did not *actually* clone from gerrit - i cloned from GitHub and added the gerrit remote after, which confused gerrit. after setting the upstream branch correctly, things work better. thanks for the hint!

patch now lives in https://gerrit.wikimedia.org/r/#/c/operations/software/cumin/+/497312 - let me know if i should expand it to cover ~/.config discovery and so on.

ping - i think we need someone to review this...

Volans added a comment.May 2 2019, 9:19 AM

I've replied to the CR.

oh i hadn't noticed tests had failed... fixed that and the other comment, hopefully we're all done here.

Volans closed this task as Resolved.May 2 2019, 5:51 PM
Volans claimed this task.
Volans triaged this task as Normal priority.

Patch has been merged into master and will be part of the next Cumin release.

whoohoo! thanks!