Quotation Ugliness

Chris Angelico rosuav at gmail.com
Wed Nov 26 17:13:59 CET 2014


On Thu, Nov 27, 2014 at 3:02 AM, Tim Daneliuk <tundra at tundraware.com> wrote:
> On 11/26/2014 10:00 AM, random832 at fastmail.us wrote:
>>
>> On Wed, Nov 26, 2014, at 10:55, Tim Daneliuk wrote:
>>>
>>> Nope.  Password only exist in memory locally.
>>
>>
>> How does it send it to the remote sudo?
>>
>
> Over paramiko transport (ssh) and then only if it sees a custom
> string coming back from sudo asking for the pw.

So, it does get sent on stdin to whatever program is on the other end.

I would suggest a slightly safer approach: Instead of allowing a
password to be entered at the sudo prompt, first run "sudo -v" (maybe
-S as well to have it read stdin), which should be a self-contained
"prompt for sudo password" command. Then have the actual command run
as "sudo -n" for non-interactive mode. With most sane sudo setups,
that should work, and it'll guarantee (as long as your I/O streams are
separate for the separate programs) that the password will never be
sent to the wrong program.

Even so, I think your setup is pretty fragile. You'll do far better to
reconfigure sudo than to try to fiddle all this around.

ChrisA



More information about the Python-list mailing list