In GUI the user Elevate to root not working
See original GitHub issueIn Debian 10 python 3.7.3 and ajenti 2.1.37.
After manual fresh minimal install with the below authentication configuration in the config.yml :
auth:
allow_sudo: true
provider: os
user_config: os
I authenticated successfully a none root user and want to Elevate to root, but not working. I got an authentication error and two unhandled exceptions pop-up.
I found in ajenti/ajenti-core/aj/auth.py the class AuthenticationService():
def check_sudo_password(self, username, password):
function handling authentication and use the sudo.
The unhandled exceptions occur when the o, e = sudo.communicate(password + '\n')
, because the communicate function parameters are must be bytes and it returns bytes.
These changes solved the unhandled exceptions:
o, e = sudo.communicate(input=(password + '\n').encode('utf-8'))
...
raise SudoError((o + e).encode('utf-8').splitlines()[-1].strip())
My second problem was the sudo.
In Debian 10 the sudo validates the invoking user’s credentials by default not the target user credentials. In the aj is sending target user credentials, but the sudo runs with the aj server process user, like “nobody” in my case.
In defaults the “sudoers” does not contain “nobody” user settings and has no password. Therefore, authentication cannot be successful.
In my case the sudo command gets “nobody” user password and it runs “ls” with “<username>” privileges.
What was the purpose of using sudo -S -k -u <username> -- ls
?
To make sudo authentication work I added the following lines to the “sudoers” file:
Defaults:nobody targetpw
nobody ALL=(ALL) /bin/ls
The first line enables the target user authentication to “nobody” user.
I hope I could help.
Issue Analytics
- State:
- Created 3 years ago
- Comments:8 (3 by maintainers)
Top GitHub Comments
Hello @dsonbill
I forgot this one. I think changing :
onto
in /usr/local/lib/python3.6/dist-packages/aj/auth.py at line 158 ( and then restart
Ajenti
) should do the trick.Regards
Arnaud
Hello @CyberCyclone
It’s normal to have to give the password again. If you can post some errors from
/var/log/ajenti/ajenti.log
I can have a look at it. New version should come soon.