Quotation Ugliness
Chris Angelico
rosuav at gmail.com
Wed Nov 26 11:13:59 EST 2014
On Thu, Nov 27, 2014 at 3:02 AM, Tim Daneliuk <tundra at tundraware.com> wrote:
> On 11/26/2014 10:00 AM, random832 at fastmail.us wrote:
>>
>> On Wed, Nov 26, 2014, at 10:55, Tim Daneliuk wrote:
>>>
>>> Nope. Password only exist in memory locally.
>>
>>
>> How does it send it to the remote sudo?
>>
>
> Over paramiko transport (ssh) and then only if it sees a custom
> string coming back from sudo asking for the pw.
So, it does get sent on stdin to whatever program is on the other end.
I would suggest a slightly safer approach: Instead of allowing a
password to be entered at the sudo prompt, first run "sudo -v" (maybe
-S as well to have it read stdin), which should be a self-contained
"prompt for sudo password" command. Then have the actual command run
as "sudo -n" for non-interactive mode. With most sane sudo setups,
that should work, and it'll guarantee (as long as your I/O streams are
separate for the separate programs) that the password will never be
sent to the wrong program.
Even so, I think your setup is pretty fragile. You'll do far better to
reconfigure sudo than to try to fiddle all this around.
ChrisA
More information about the Python-list
mailing list