Restrictive PATH with sudo

Ilya Dmitrichenko errordeveloper at gmail.com
Fri Jan 16 13:44:02 UTC 2015 

I've submitted this to the bug tracker (
https://bugs.launchpad.net/snappy-ubuntu/+bug/1411671).


On Sat Jan 10 2015 at 12:18:33 PM Ilya Dmitrichenko <
errordeveloper at gmail.com> wrote:

> Hi Jamie,
>
> I understood that sudo's secure_path aspect. And I also see that ivoking
> docker commad doesn't indeed require root previlages. However, I am trying
> to make it work with weave (https://github.com/zettio/weave), which runs
> docker form a shell script that also runs ip and iptabkes commands that do
> requite root previlages. I should have provided more context to this from
> the beginging.
>
> Cheers,
>
>
> --
> Ilya
>
> On Sat, 10 Jan 2015 11:39 Jamie Strandboge <jamie at canonical.com> wrote:
>
>> On 01/07/2015 12:26 PM, Ilya Dmitrichenko wrote:
>> > Hi List,
>> >
>> Hi!
>>
>> > Currently one cannot run `sudo docker`, or any other app installed with
>> snappy.
>> > Has there been any motivation behind this or it's just a bug?
>> >
>> /etc/sudoers is setup currently to use both env_reset and secure_path.
>> Because
>> the 'docker' command is found in ~/snappy-bin and this path is not part of
>> sudo's secure_path, sudo is not finding it. I confirmed this on the alpha
>> image
>> and the most recent promoted image.
>>
>> Note that as the 'ubuntu' user in the snappy images, you don't have to
>> use sudo
>> at all-- the 'ubuntu' user is part of the 'docker' group which should be
>> all you
>> need to use the docker cli command.
>>
>> To run arbitrary snappy app commands under sudo, for now you can do:
>> $ sudo ~/snappy-bin/<cmd>
>>
>> Eg:
>> $ sudo ~/snappy-bin/docker version
>> ...
>> Client version: 1.3.2-dev
>> Client API version: 1.16
>> Go version (client): go1.3.3
>> Git commit (client): 906c721-dirty
>> OS/Arch (client): linux/amd64
>> Server version: 1.3.2-dev
>> Server API version: 1.16
>> Go version (server): go1.3.3
>> Git commit (server): 906c721-dirty
>>
>>
>> Note to users: ~/snappy-bin is being removed in favor of a cleaner
>> solution.
>>
>> Note to snappy devs: we'll need to consider the sudo use case when
>> designing/implementing the cleaner solution.
>>
>> --
>> Jamie Strandboge                 http://www.ubuntu.com/
>>
>> --
>> snappy-app-devel mailing list
>> snappy-app-devel at lists.ubuntu.com
>> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailm
>> an/listinfo/snappy-app-devel
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/snappy-app-devel/attachments/20150116/09daba31/attachment.html>

More information about the snappy-app-devel mailing list