Hello I have a Django project hosted on an Apache Ubuntu Google VM. I use git to both update the server code and backup the db files. To avoid having to ssh in and do the repetitive git tasks over and over I am trying to code some buttons on the admin page that will run the git scripts. The way git is setup I need to run git as a specific user to use the correct ssh keys. My thought was to allow www-data to sudo as tris (git user) on a very limited set of commands. I attempted to do this by modifying the sudoers file shown below.
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "@include" directives:
@includedir /etc/sudoers.d
I did as was asked and created a file in /etc/sudeors.d/ called git with the following contents and rebooted the vm:
www-data ALL=(tris) NOPASSWD: /usr/bin/git pull
www-data ALL=(tris) NOPASSWD: /usr/bin/git add db.sqlite3
www-data ALL=(tris) NOPASSWD: /usr/bin/git commit -m "server sync"
www-data ALL=(tris) NOPASSWD: /usr/bin/git push
The test python script that is trying to run these commands is shown below:
commands = [
'cd /home/tris/DjangoSite/;',
'''sudo -i -u tris bash -c '/usr/bin/git add db.sqlite3; /usr/bin/git commit -m "server sync"; /usr/bin/git push;' '''
]
command = ' '.join(commands)
p = run(command,stdout=PIPE,stderr=PIPE,shell=True)
results = f"Push\nargs:\n{p.args}\nstdout:{p.stdout.decode('utf-8')}\nstderr:\n{p.stderr.decode('utf-8')}"
print(results)
and finally this is the error it generates:
[Sun May 02 21:11:48.190725 2021] [wsgi:error] [pid 1412:tid 140452225025600] [remote <IP>:62498] Push
[Sun May 02 21:11:48.190771 2021] [wsgi:error] [pid 1412:tid 140452225025600] [remote <IP>:62498] args:
[Sun May 02 21:11:48.190778 2021] [wsgi:error] [pid 1412:tid 140452225025600] [remote <IP>:62498] cd /home/tris/DjangoSite/; sudo -i -u tris bash -c '/usr/bin/git add db.sqlite3; /usr/bin/git commit -m "server sync"; /usr/bin/git push;'
[Sun May 02 21:11:48.190783 2021] [wsgi:error] [pid 1412:tid 140452225025600] [remote <IP>:62498] stdout:
[Sun May 02 21:11:48.190787 2021] [wsgi:error] [pid 1412:tid 140452225025600] [remote <IP>:62498] stderr:
[Sun May 02 21:11:48.190792 2021] [wsgi:error] [pid 1412:tid 140452225025600] [remote <IP>:62498] sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper
[Sun May 02 21:11:48.190796 2021] [wsgi:error] [pid 1412:tid 140452225025600] [remote <IP>:62498] sudo: a password is required
Can someone please help identify which step I did incorrectly or missed? I have been banging my head against this for a while and any help would be appreciated, thanks!
Relevant group memberships:
tris@website:~/$ groups www-data
www-data : www-data
tris@website:~/$ groups tris
tris : tris adm dialout cdrom floppy audio dip video plugdev netdev lxd ubuntu google-sudoers
Requested ls -l /etc/sudoers.d
sudo ls -l /etc/sudoers.d
total 20
-r--r----- 1 root root 144 Apr 27 04:04 90-cloud-init-users
-r--r----- 1 root root 958 Feb 18 00:03 README
-rw-r--r-- 1 root root 295 Apr 30 06:33 git
-r--r----- 1 root root 34 Apr 27 06:42 google-oslogin
-r--r----- 1 root root 43 Apr 27 04:05 google_sudoers
Merging all the commands into a single script then adding the script the sudoers file worked.