Cumin: allow running as non-root
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	TheAnarcat
	Mar 15 2019, 9:07 PM

Description

Cumin version	3.0.2
Python version	3.5.3
Operating System	Debian stretch 9.8

Issue:

Cumin currently checks its running user at startup to make sure it's running as root. Yet it seems to be perfectly capable of running as a regular user in my tests.

Is there any reason why Cumin shouldn't be runnable from regular users? It doesn't seem to give any additional privileges in itself: if a user doesn't have access to (say) the PuppetDB server or target SSH servers, Cumin won't work anyways...

I made this simple patch to disable the check:

https://github.com/anarcat/cumin/commit/95579eeeee34953e75f03cf81069a4347cb870de.patch

I'd be happy to submit it to Gerrit once I figure out how *that* works...

Related Objects

Mentioned In: rCUMIN2a676b533c05: Allow running cumin as a regular user

Event Timeline

TheAnarcat created this task.Mar 15 2019, 9:07 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 15 2019, 9:07 PM

As an extension to this, it would perhaps be necessary for Cumin to look in standards directories, like ~/.config/ (or maybe ~/.config/cumin) for its configuration file, otherwise root is still required to edit things in /etc/cumin/...

• crusnov subscribed.Mar 15 2019, 9:23 PM

The current workaround is to set the environment variables that it checks like SUDO_USER=$USER USER=root cumin ... but I strongly agree with this feature request, as I've made a similar one :)

In T218440#5028427, @TheAnarcat wrote:

As an extension to this, it would perhaps be necessary for Cumin to look in standards directories, like ~/.config/ (or maybe ~/.config/cumin) for its configuration file, otherwise root is still required to edit things in /etc/cumin/...

i managed to login to gerrit, but couldn't figure out how to push my patch for review:

anarcat@angela:cumin(user)$ git review -R -r origin
Problems encountered installing commit-msg hook
The following command failed with exit code 1
    "scp git@github.com:hooks/commit-msg .git/hooks/commit-msg"
-----------------------
Invalid command: 'scp -f hooks/commit-msg'
  You appear to be using ssh to clone a git:// URL.
  Make sure your core.gitProxy config option and the
  GIT_PROXY_COMMAND environment variable are NOT set.
-----------------------
[2]anarcat@angela:cumin(user)$ git rv
anarcat	git@github.com:anarcat/cumin.git (fetch)
anarcat	git@github.com:anarcat/cumin.git (push)
github	https://github.com/wikimedia/cumin/ (fetch)
github	https://github.com/wikimedia/cumin/ (push)
origin	ssh://anarcat@gerrit.wikimedia.org:29418/operations/software/cumin.git (fetch)
origin	ssh://anarcat@gerrit.wikimedia.org:29418/operations/software/cumin.git (push)

anyone knows WTH is going on here?

@TheAnarcat: Hi and thanks for your patch! :) Your output lists Github but we don't use Github for patch review. Did you clone via git clone ssh://yourusername@gerrit.wikimedia.org:29418/operations/software/cumin.git as described in the Gerrit tutorial?

I did - as you can see, in the last command:

origin	ssh://anarcat@gerrit.wikimedia.org:29418/operations/software/cumin.git (push)

update: oh, i see: i did not *actually* clone from gerrit - i cloned from GitHub and added the gerrit remote after, which confused gerrit. after setting the upstream branch correctly, things work better. thanks for the hint!

patch now lives in https://gerrit.wikimedia.org/r/#/c/operations/software/cumin/+/497312 - let me know if i should expand it to cover ~/.config discovery and so on.

jcrespo mentioned this in rCUMIN2a676b533c05: Allow running cumin as a regular user.Apr 4 2019, 4:46 PM

jcrespo added a project: Patch-For-Review.Apr 4 2019, 5:01 PM

ping - i think we need someone to review this...

• crusnov moved this task from Backlog to In Code Review on the SRE-tools board.May 1 2019, 8:16 PM

I've replied to the CR.

oh i hadn't noticed tests had failed... fixed that and the other comment, hopefully we're all done here.