~alpine/users

2 2

struggling with apk in unattended session

<spam@ipik.org>
Details
Message ID
<C0618675-855E-42C4-86AC-F8C7A82F6E41@ipik.org>
DKIM signature
missing
Download raw message
5 years ago 
Hi,

I’m trying to run apk command in an embedded system under no end-user
console/ssh interaction.
The set of scripts running the apk command works great when launched
from ssh session (produces output and log), or for instance, if it is
gated by an acpid input device (thus under root)
However, when launched by another process ( owned by user “joe”, who
has sudo rights on script), apk command seems to block: other preceding
commands do produce expected results and logs, but it stumbles on apk.

Are there any special consideration to take care about with apk in such
scenario?
Thanks for any tip!

macmpi


Some code snippets to explain:

Result: stuff1 & stuff 3 are performed (so setup-mystuff entry passes
the sudo test!), but apk, stuff4 (and stuff2) never happen, and no
trace appear on /tmp/update.log nor /var/log/messages

cat /usr/local/bin/update
#!/bin/sh
# do stuff1 here
./setup-mystuff > /tmp/update.log 2>&1
# do stuff2 here

cat /tmp/setup-mystuff
#!/bin/sh
! [ $(id -u) = 0 ] && { echo >&2 "Please run as root"; exit 1; }
# do stuff3 here
apk add <some_package>
# do stuff4 here

sudo visudo -f /etc/sudoers.d/010_joe-nopasswd
joe ALL=(root) NOPASSWD: /usr/local/bin/update
Wolf <wolf@wolfsden.cz>
Details
Message ID
<20200426002704.azrjjvoqhyhcsx4g@wolfsden.cz>
In-Reply-To
<C0618675-855E-42C4-86AC-F8C7A82F6E41@ipik.org> (view parent)
DKIM signature
missing
Download raw message
5 years ago 
Hello,

On 2020-04-24 16:29:39 +0200, spam@ipik.org wrote:
> I’m trying to run apk command in an embedded system under no end-user
> console/ssh interaction.
> The set of scripts running the apk command works great when launched
> from ssh session (produces output and log), or for instance, if it is
> gated by an acpid input device (thus under root)
> However, when launched by another process ( owned by user “joe”, who
> has sudo rights on script), apk command seems to block: other preceding
> commands do produce expected results and logs, but it stumbles on apk.
> 
> Are there any special consideration to take care about with apk in such
> scenario?
> Thanks for any tip!

I'm not aware of anything specific and to the best of my (limited)
knowledge I would expect your snippets to work.

Any chance you could put together steps to reproduce this in for example
alpine docker container? Ideally starting from clean docker run alpine,
step by step. That would probably help with figuring out the issue quite
a bit.



W.

-- 
There are only two hard things in Computer Science:
cache invalidation, naming things and off-by-one errors.
<spam@ipik.org>
Details
Message ID
<01E8F5A8-4851-47B0-97EE-DBECB9B8C779@ipik.org>
In-Reply-To
<20200426002704.azrjjvoqhyhcsx4g@wolfsden.cz> (view parent)
DKIM signature
missing
Download raw message
5 years ago 
I finally found it: there were 2 problems with same root cause.

joe user is a no-login user, so I missed to make it part of wheel!...
adduser joe wheel

Then the second (nasty) bit is that PATH is not fully set for such user:
while /bin/ and /usr/bin are in, /sbin is not! (where apk lies...)
Therefore on need to run script with sh —login (or sh -l).

Working snippet becomes:

cat /usr/local/bin/update
#!/bin/sh
# do stuff1 here
cd /tmp
sh --login setup-mystuff > /tmp/update.log 2>&1   # fixed !
# do stuff2 here

cat /tmp/setup-mystuff
#!/bin/sh
! [ $(id -u) = 0 ] && { echo >&2 "Please run as root"; exit 1; }
# do stuff3 here
apk add <some_package>
# do stuff4 here

sudo visudo -f /etc/sudoers.d/010_joe-nopasswd
joe ALL=(root) NOPASSWD: /usr/local/bin/update
Reply to thread Export thread (mbox)