Execute resource - keeping SSH_AUTH_SOCK environment variable


#1

If I’m logged on as user1 with my SSH_AUTH_SOCK environment variable
set, and I run chef-solo which runs a command as user2, how can I have
user2’s command be able to access the SSH_AUTH_SOCK?

Joe


#2

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello!

On Jan 4, 2011, at 2:33 AM, Joe Van Dyk wrote:

If I’m logged on as user1 with my SSH_AUTH_SOCK environment variable
set, and I run chef-solo which runs a command as user2, how can I have
user2’s command be able to access the SSH_AUTH_SOCK?

I’d make sure both users are in the same group (group and users managed with chef resources) and set the file mode of the SSH_AUTH_SOCK file to be group accessible.


Opscode, Inc
Joshua Timberman, Technical Evangelist
IRC, Skype, Twitter, Github: jtimberman

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)

iEYEARECAAYFAk0j2zwACgkQO97WSdVpzT0JEACaAmveujd82JSpmX5eiH7JTeYv
n2YAni9LT7prtIrUMOWqn1wx1c3tyyHb
=db7m
-----END PGP SIGNATURE-----


#3

Hi,

On Tue, Jan 4, 2011 at 17:33, Joe Van Dyk joe@fixieconsulting.com wrote:

If I’m logged on as user1 with my SSH_AUTH_SOCK environment variable
set, and I run chef-solo which runs a command as user2, how can I have
user2’s command be able to access the SSH_AUTH_SOCK?

The execute resource has an environment attribute:

http://wiki.opscode.com/display/chef/Resources#Resources-Execute

You could use it like this:

execute “/path/to/some/command” do
user "user2"
environment ({“SSH_AUTH_SOCK” => ENV[‘SSH_AUTH_SOCK’]})
end

Hope that helps,
Mike


#4

On Tue, Jan 4, 2011 at 3:40 AM, Mike Mazur mmazur@gmail.com wrote:

Hi,

On Tue, Jan 4, 2011 at 17:33, Joe Van Dyk joe@fixieconsulting.com wrote:

If I’m logged on as user1 with my SSH_AUTH_SOCK environment variable
set, and I run chef-solo which runs a command as user2, how can I have
user2’s command be able to access the SSH_AUTH_SOCK?

The execute resource has an environment attribute:

http://wiki.opscode.com/display/chef/Resources#Resources-Execute

You could use it like this:

execute “/path/to/some/command” do
user "user2"
environment ({“SSH_AUTH_SOCK” => ENV[‘SSH_AUTH_SOCK’]})
end

That doesn’t seem to fix the permissions though, you’d have to have
that user have access to both the directory the file is in and the
file itself.

Does ENV[‘SSH_AUTH_SOCK’] get evaluated when the recipe is actually
running then?

I worked around it by chowning everything in “/tmp/ssh-*” to the user
running the command, but that really is terrible.

Joe


#5

Hi,

On Wed, Jan 5, 2011 at 07:35, Joe Van Dyk joe@fixieconsulting.com wrote:

On Tue, Jan 4, 2011 at 3:40 AM, Mike Mazur mmazur@gmail.com wrote:

On Tue, Jan 4, 2011 at 17:33, Joe Van Dyk joe@fixieconsulting.com wrote:

If I’m logged on as user1 with my SSH_AUTH_SOCK environment variable
set, and I run chef-solo which runs a command as user2, how can I have
user2’s command be able to access the SSH_AUTH_SOCK?

The execute resource has an environment attribute:

http://wiki.opscode.com/display/chef/Resources#Resources-Execute

You could use it like this:

execute “/path/to/some/command” do
user "user2"
environment ({“SSH_AUTH_SOCK” => ENV[‘SSH_AUTH_SOCK’]})
end

That doesn’t seem to fix the permissions though, you’d have to have
that user have access to both the directory the file is in and the
file itself.

Ah yes, re-reading your email I realize you need access to the socket,
not just the value in the environment variable.

Does ENV[‘SSH_AUTH_SOCK’] get evaluated when the recipe is actually
running then?

I think you’re right on that, too.

I worked around it by chowning everything in “/tmp/ssh-*” to the user
running the command, but that really is terrible.

How are you running this command as user2, with the "user ‘user2’"
attribute in the execute resource? I wonder if prefixing your command
with ‘sudo -u user2’ would work better?

Mike