sudoers file for rvmsudo passenger-install-apache2-module - bash

BACKGROUND:
I have an application that is freshly deployed every day -- a VM is created, and then root for that system creates a "systemuser", which then installs the application.
It's running:
CentOS 6
RVM
Ruby 1.8.7 on Rails
passenger
The way it's set up, I have to have Ruby on Rails install itself, and install passenger. To this end the user running the service has sudo powers, but the intention is to only allow the commands needed during installation. For security and maintainability reasons we cannot put the sudo password in the script.
my /etc/sudoers includes:
systemuser ALL = NOPASSWD: /usr/bin/env, /bin/bash, /usr/local/rvm/rubies/ruby-1.8.7-p358/bin/gem, /bin/cp, /bin/ln, /bin/mv, /bin/rm, /etc/init.d/httpd *
THE PROBLEM:
Until recently a variant of this worked great. However recently something changed somewhere (?) and the rvmsudo command no longer executes without a password prompt.
$ rvmsudo passenger-install-apache2-module
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for systemuser:
THE QUESTION:
What is the minimal set of commands that should be in /etc/sudoers to install rvm, ruby, bundler/gem, and then passenger2 on apache?
Yes, I've read the "documentation" at https://rvm.io/integration/passenger/
Creative solutions welcomed! I realize one may say this looks like a pretty hacky system, and I'd agree with you. But at the moment it's hard for me to improve it without understanding what commands are being run by this passenger install script.
Removing "env" and "bash" from the front and adding "rvm" gets a little farther:
systemuser ALL = NOPASSWD: /usr/local/rvm/bin/rvmsudo, /usr/local/rvm/gems/ruby-1.8.7-p358/bin/passenger-install-apache2-module, /bin/cp, /bin/ln, /bin/mv, /bin/rm, /etc/init.d/httpd *
running this:
$ rvmsudo passenger-install-apache2-module
[sudo] password for systemuser:
Thanks for your attention!

/usr/bin/env is a router allowing to run any command, the same for /bin/bash, you would have to add which passenger-install-apache2-module instead of them.

Related

Vagrant stalling on boot

I am trying to get a virtual machine working with Vagrant. Everything seems to run fine and it begins to unpack/install all the needed files. But every single time it just stalls when I get to this point.
==> default: Setting up grub-pc (2.02~beta2-36ubuntu3.11) ...
Here is a screen shot of what is going on:
I shut down the virtual machine and booted it back up. I can ssh into it but nothing seems to work. By this I mean there is no psql, no SQLAlchemy. These, among other things, are supposed to be set up in the VM. It seems as if it halts before installing the necessary software.
I've tried vagrant destroy and reinstalling, downloading a new image in case that one was corrupt and I tried reinstalling Vagrant. I am running Vagrant 1.9.5
Looks like you're provisioning with shell commands. I'm guessing that there's some sort of install prompt that's coming up and demanding some sort of user interaction / response. Because vagrant's handling the provisioning behind the scenes, you can't respond to the prompt and the install is not continuing.
You should be able to fix the issue by editing your Vagrantfile. As a guess, it looks like grub-pc is causing the issue (there's actually a grub-pc command prompt in the image you shared). See if you can figure out which package is installing grub-pc. If you're lucky, the problem can be solved by piping in a yes along with the install command (which will automatically answer yes to all install questions). This looks something like yes | sudo apt-get install grub-pc. If grub-pc is being installed as part of another package, you'll need to do some educated guessing to figure out which package is installing it and adding the yes | apt-get pipe to that install line (or just add the pipe before every install line).
This being said, I ran into an issue when I was installing the Java SDK on vagrant, where Oracle was demanding I accept their terms of use before the install would complete and a yes pipe wouldn't solve the issue. I was able to fix it by searching the web for "silent java sdk install via command line". If you can figure out which package is causing the issue, and a yes pipe isn't enough, searching for how to "silently" install that package via command line should help.
UPDATE
As you can see in a comment on this answer
Unfortunately a yes pip didn't do the trick this time but a quick
search on how to "silently" install grub led me to this.
DEBIAN_FRONTEND=noninteractive apt-get -y -o
Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold"
upgrade . After editing my Vagrant file it worked perfectly

Ruby gem executable with SUID not working as it should

As you may see by the image below, I changed the ownership of my emerald_setupscript to root:root and also set the SUID.
It happens that when I install the gem and check this script, it belongs to edvaldo:edvaldo (my user name) and has no SUID at all!
I don't know exactly what is happening, but this script makes changes to /etc/hosts and also creates some firewall rules. This requires root privileges.
So, my questions are:
What am I missing in this case of the SUID?
How must I proceed to make sure the gem executable will have the SUID set?
Of course I know I could ask the user to run this script using
$ sudo emerald_setup
but this would lead me to another problem, since the gem executable is installed in user space and its location is NOT in superuser's path and setting this (guess what?!) requires superuser privileges.
Any suggestions?
You cannot pack up a program/script with suid privileges in a gem (or even a tarball) and have those privileges be restored when unpacking as a regular user. At some point, whoever installs your gem is going to have supply the password for root access. You could arrange for this to happen when the gem is installed by having the :install target of the gem Rakefile run a script which would prompt the user for su(do) password and then use sudo to run the commands that need to be run as root, though.

Grunt-contrib-sass or the sass gem is not working when using git push

I'm pretty sure I've tracked the issue down to Node.js not seeing Sass, but I have no clue why...
If I push from my laptop using:
git push lamp somebranch:master, the server remotely checks it out fine, runs npm install without error, and starts processing the gruntfile, but then aborts with "remote: Warning: spawn ENOENT Use --force to continue."
However, (after I push from my laptop like above) I can ssh in, cd into my hooks directory and run ./post-receive and it finishes "Done, without errors." I also tried running grunt in the website's root and it also completed without error.
Any ideas as to what might be going on? I'm completely stumped. Should I set paths to the sass gem in the hook? I scrapped down my gruntfile to use the same target locally as well as on the server to rule out the gruntfile. It compiles fine locally, compiles fine on the server, but fails only when using git push lamp somebranch:master.
Some may wonder why I just didn't compile locally and dump the css into the web root from the devel box... perhaps I should. This time though, I really wanted Push-to-deploy all the way through, compiles and all. For anyone attempting the same thing and running into the same problem, this should help.
First off, it probably wouldn't hurt to scrub the system of any versions of ruby and sass that were installed via the distro's package manager. Then I scrubbed any remnants of previous tinkering with rvm implode and removed traces from .bashrc, etc. Next I ran \curl -sSL https://get.rvm.io | bash -s stable --ruby --auto-dotfiles and pressed ctrl-c to fix any errors first. Once the install script was happy, I let it download and install as normal. I did not have to use rvm install n.n.n,rvm use n.n.n, or rvm use n.n.n --default as 2.2.1 was pulled in like I wanted anyway and seemed fine. After rvm had setup ruby, I then ran gem install sass
Now, the end-all-be-all... using PermitUserEnvironment, like had been mentioned here: How to use sshd-config permituserenvironment option was the way to go. I saw that there were security concerns with that method, but it was the only thing that worked and I won't be trying to run limited shells. It is normal behavior for SSH to not allow the env vars when not using a login shell. I assumed, however, that the git hooks had full access to the user's normal vars (with ruby paths, etc.) and that assumption was incorrect. Add PermitUserEnvironment yes to the server's /etc/ssh/sshd_config or the like and restart the ssh daemon. As the user on the server, I ran env and copied that into .ssh/environment and cleaned up what wasn't needed. After that, I did my git push from the devel box and it found and ran the sass compiler just fine.

How to execute Ruby Script from LAMP Web Application

I have installed rvm (mutiuser option) and ruby using "rvm install" on my test server running Ubuntu.
If I log in and execute "ruby test.rb", the script runs correctly.
But If I execute it using "exec" from my php code, I get an error.
If I "su www-data" and try to execute the script then I get the same error, so I guess the question is how to get "www-data" to have the correct environment to execute Ruby scripts. I've already tried adding "www-data" to "rvm" group and doesn't work. If I give the full path to Ruby bin, then the script executes, but fails when requiring gems.
I've also tried executing a .sh where the fist line is "rvm use ruby-xxx" and the second line is "ruby test.rb" and doesn't work either.
Should I install Ruby using "apt-get install"?
Thanks a lot.
Hm, I don't know about multi-user version, but if you were running a single user version, you could run scripts as that user, like this:
/bin/su - postgres -c "/path/to/backup_db.sh /tmp/test"
See this question and answers.

How do I update Ruby Gems from behind a Proxy (ISA-NTLM)

The firewall I'm behind is running Microsoft ISA server in NTLM-only mode. Hash anyone have success getting their Ruby gems to install/update via Ruby SSPI gem or other method?
... or am I just being lazy?
Note: rubysspi-1.2.4 does not work.
This also works for "igem", part of the IronRuby project
For the Windows OS, I used Fiddler to work around the issue.
Install/Run Fiddler from www.fiddler2.com
Run gem:
$ gem install --http-proxy http://localhost:8888 $gem_name
I wasn't able to get mine working from the command-line switch but I have been able to do it just by setting my HTTP_PROXY environment variable. (Note that case seems to be important). I have a batch file that has a line like this in it:
SET HTTP_PROXY=http://%USER%:%PASSWORD%#%SERVER%:%PORT%
I set the four referenced variables before I get to this line obviously. As an example if my username is "wolfbyte", my password is "secret" and my proxy is called "pigsy" and operates on port 8080:
SET HTTP_PROXY=http://wolfbyte:secret#pigsy:8080
You might want to be careful how you manage that because it stores your password in plain text in the machine's session but I don't think it should be too much of an issue.
This totally worked:
gem install --http-proxy http://COMPANY.PROXY.ADDRESS $gem_name
I've been using cntlm (http://cntlm.sourceforge.net/) at work. Configuration is very similar to ntlmaps.
gem install --http-proxy http://localhost:3128 _name_of_gem_
Works great, and also allows me to connect my Ubuntu box to the ISA proxy.
Check out http://cntlm.wiki.sourceforge.net/ for more information
I tried some of these solutions, and none of them worked. I finally found a solution that works for me:
gem install -p http://proxy_ip:proxy_port rails
using the -p parameter to pass the proxy. I'm using Gem version 1.9.1.
Create a .gemrc file (either in /etc/gemrc or ~/.gemrc or for example with chef gem in /opt/chef/embedded/etc/gemrc) containing:
http_proxy: http://proxy:3128
Then you can gem install as usual.
This solved my problem perfectly:
gem install -p http://proxy_ip:proxy_port compass
You might need to add your user name and password to it:
gem install -p http://[username]:[password]#proxy_ip:proxy_port compass
If you are having problems getting authenticated through your proxy, be sure to set the environment variables in exactly the format below:
set HTTP_PROXY=some.proxy.com
set HTTP_PROXY_USER=user
set HTTP_PROXY_PASS=password
The user:password# syntax doesn't seem to work and there are also some badly named environment variables floating around on Stack Overflow and various forum posts.
Also be aware that it can take a while for your gems to start downloading. At first I thought it wasn't working but with a bit of patience they started downloading as expected.
Quick answer : Add proxy configuration with parameter for both install/update
gem install --http-proxy http://host:port/ package_name
gem update --http-proxy http://host:port/ package_name
I tried all the above solutions, however none of them worked. If you're on linux/macOS i highly suggest using tsocks over an ssh tunnel. What you need in order to get this setup working is a machine where you can log in via ssh, and in addition to that a programm called tsocks installed.
The idea here is to create a dynamic tunnel via SSH (a socks5 proxy). We then configure tsocks to use this tunnel and to start our applications, in this case:
tsocks gem install ...
or to account for rails 3.0:
tsocks bundle install
A more detailed guide can be found under:
http://blog.byscripts.info/2011/04/bypass-a-proxy-with-ssh-tunnel-and-tsocks-under-ubuntu/
Despite being written for Ubuntu the procedure should be applicable for all Unix based machines. An alternative to tsocks for Windows is FreeCap (http://www.freecap.ru/eng/). A viable SSH client on windows is called putty.
Posts abound regarding this topic, and to help others save hours of trying different solutions, here is the final result of my hours of tinkering.
The three solutions around the internet at the moment are:
rubysspi
apserver
cntlm
rubysspi only works from a Windows machine, AFAIK, as it relies on the Win32Api library. So if you are on a Windows box trying to run through a proxy, this is the solution for you. If you are on a Linux distro, you're out of luck.
apserver seems to be a dead project. The link listed in the posts I've seen lead to 404 page on sourceforge. I search for "apserver" on sourceforge returns nothing.
The sourceforge link for cntlm that I've seen redirects to http://cntlm.awk.cz/, but that times out. A search on sourceforge turns up this link, which does work: http://sourceforge.net/projects/cntlm/
After downloading and configuring cntlm I have managed to install a gem through the proxy, so this seems to be the best solution for Linux distros.
A workaround is to install http://web.archive.org/web/20060913093359/http://apserver.sourceforge.net:80/ on your local machine, configure it and run gems through this proxy.
Install: Just download apserver 097 (and not the experimental 098!) and unpack.
Configure: Edit the server.cfg file and put the values for your MS proxy in PARENT_PROXY and PARENT_PROXY_PORT. Enter the values for DOMAIN and USER. Leave PASSWORD blank (nothing after the colon) – you will be prompted when launching it.
Run apserver: cd aps097; python main.py
Run Gems: gem install—http-proxy http://localhost:5865/ library
I am working behind a proxy and just installed SASS by downloading directly from http://rubygems.org.
I then ran sudo gem install [path/to/downloaded/gem/file]. I cannot say this will work for all gems, but it may help some people.
This worked for me in a Windows box:
set HTTP_PROXY=http://server:port
set HTTP_PROXY_USER=username
set HTTP_PROXY_PASS=userparssword
set HTTPS_PROXY=http://server:port
set HTTPS_PROXY_USER=username
set HTTPS_PROXY_PASS=userpassword
I have a batch file with these lines that I use to set environment values when I need it.
The trick, in my case, was HTTPS_PROXY sets. Without them, I always got a 407 proxy authentication error.
If you are on a *nix system, use this:
export http_proxy=http://${proxy.host}:${port}
export https_proxy=http://${proxy.host}:${port}
and then try:
gem install ${gem_name}
rubysspi-1.3.1 worked for me on Windows 7, using the instructions from this page:
http://www.stuartellis.eu/articles/installing-ruby/
If you want to use SOCKS5 proxy, you may try rubygems-socksproxy https://github.com/gussan/rubygems-socksproxy.
It works for me on OSX 10.9.3.
If behind a proxy, you can navigate to Ruby downloads, click on Download, which will download the specified update ( or Gem ) to a desired location.
Next, via Ruby command line, navigate to the downloaded location by using : pushd [directory]
eg : pushd D:\Setups
then run the following command: gem install [update name] --local
eg: gem install rubygems-update --local.
Tested on Windows 7 with Ruby update version 2.4.1.
To check use following command : ruby -v
Rather than editing batch files (which you may have to do for other Ruby gems, e.g. Bundler), it's probably better to do this once, and do it properly.
On Windows, behind my corporate proxy, all I had to do was add the HTTP_PROXY environment variable to my system.
Start -> right click Computer -> Properties
Choose "Advanced System Settings"
Click Advanced -> Environment Variables
Create a new System variable named "HTTP_PROXY", and set the Value to your proxy server
Reboot or log out and back in again
Depending on your authentication requirements, the HTTP_PROXY value can be as simple as:
http://proxy-server-name
Or more complex as others have pointed out
http://username:password#proxy-server-name:port-number
for anyone tunnelling with SSH; you can create a version of the gem command that uses SOCKS proxy:
Install socksify with gem install socksify (you'll need to be able to do this step without proxy, at least)
Copy your existing gem exe
cp $(command which gem) /usr/local/bin/proxy_gem
Open it in your favourite editor and add this at the top (after the shebang)
require 'socksify'
if ENV['SOCKS_PROXY']
require 'socksify'
host, port = ENV['SOCKS_PROXY'].split(':')
TCPSocket.socks_server = host || 'localhost'
TCPSocket.socks_port = port.to_i || 1080
end
Set up your tunnel
ssh -D 8123 -f -C -q -N user#proxy
Run your gem command with proxy_gem
SOCKS_PROXY=localhost:8123 proxy_gem push mygem

Resources