Switch between root and non-root user within a chef script

Chef Infra (archive)
1

Hi,

I’m writing a cookbook to set up a development environment on OS X. This
cookbook installs packages via Homebrew as well as .dmg packages. I am
using the homebrew cookbook https://github.com/opscode-cookbooks/homebrew
for the homebrew packages, and the dmg
cookbookhttps://github.com/opscode-cookbooks/dmg for
the .dmg packages.

I would like the script to run without any user input. Since the .dmg
packages require root permissions, they stop the script for the user to
enter their password. This could be alleviated by running the script with
sudo. However, Homebrew requires that it be run as non-root, so I cannot
run the script with sudo.

Any suggestions?

Thanks,

Andrew

2

You can either enable passwordless sudo by modifying /etc/sudoers (at least
for the life of the chef run) or sudo once before running chef, which will
allow you to continue to sudo without a password for the length of your
sudo timeout, which I believe is 5 minutes by default.

On Thu, Jul 25, 2013 at 5:19 PM, Andrew Sharp asharp@okta.com wrote:

Hi,

I'm writing a cookbook to set up a development environment on OS X. This
cookbook installs packages via Homebrew as well as .dmg packages. I am
using the homebrew cookbookhttps://github.com/opscode-cookbooks/homebrew
for the homebrew packages, and the dmg cookbookhttps://github.com/opscode-cookbooks/dmg for
the .dmg packages.

I would like the script to run without any user input. Since the .dmg
packages require root permissions, they stop the script for the user to
enter their password. This could be alleviated by running the script with
sudo. However, Homebrew requires that it be run as non-root, so I cannot
run the script with sudo.

Any suggestions?

Thanks,

Andrew

3

Thanks, the passwordless sudo idea might be the best option. But what about
the Homebrew problem? If I called the Chef script with sudo, Homebrew would
deliver an error. It won't be run as root.

On Thu, Jul 25, 2013 at 2:32 PM, JD Harrington psi@y0ru.net wrote:

You can either enable passwordless sudo by modifying /etc/sudoers (at
least for the life of the chef run) or sudo once before running chef, which
will allow you to continue to sudo without a password for the length of
your sudo timeout, which I believe is 5 minutes by default.

On Thu, Jul 25, 2013 at 5:19 PM, Andrew Sharp asharp@okta.com wrote:

Hi,

I'm writing a cookbook to set up a development environment on OS X. This
cookbook installs packages via Homebrew as well as .dmg packages. I am
using the homebrew cookbookhttps://github.com/opscode-cookbooks/homebrew
for the homebrew packages, and the dmg cookbookhttps://github.com/opscode-cookbooks/dmg for
the .dmg packages.

I would like the script to run without any user input. Since the .dmg
packages require root permissions, they stop the script for the user to
enter their password. This could be alleviated by running the script with
sudo. However, Homebrew requires that it be run as non-root, so I cannot
run the script with sudo.

Any suggestions?

Thanks,

Andrew

4

why not invoking chef as root, use the node['homebrew']['owner'] for the
hombrew user?

On Thu, Jul 25, 2013 at 2:19 PM, Andrew Sharp asharp@okta.com wrote:

Hi,

I'm writing a cookbook to set up a development environment on OS X. This
cookbook installs packages via Homebrew as well as .dmg packages. I am
using the homebrew cookbookhttps://github.com/opscode-cookbooks/homebrew
for the homebrew packages, and the dmg cookbookhttps://github.com/opscode-cookbooks/dmg for
the .dmg packages.

I would like the script to run without any user input. Since the .dmg
packages require root permissions, they stop the script for the user to
enter their password. This could be alleviated by running the script with
sudo. However, Homebrew requires that it be run as non-root, so I cannot
run the script with sudo.

Any suggestions?

Thanks,

Andrew

5

I'm saying run chef as your user. Just sudo at some point before, like a
bootstrap script that also installs chef or a small wrapper, to modify
/etc/sudoers. Assuming you don't want to leave passwordless ssh around, you
can change it back with a recipe at the end of the run.

Ranjib's suggestion might be better, though. That configuration wasn't in
the homebrew cookbook last time I used it!

On Thu, Jul 25, 2013 at 5:35 PM, Andrew Sharp asharp@okta.com wrote:

Thanks, the passwordless sudo idea might be the best option. But what
about the Homebrew problem? If I called the Chef script with sudo, Homebrew
would deliver an error. It won't be run as root.

On Thu, Jul 25, 2013 at 2:32 PM, JD Harrington psi@y0ru.net wrote:

You can either enable passwordless sudo by modifying /etc/sudoers (at
least for the life of the chef run) or sudo once before running chef, which
will allow you to continue to sudo without a password for the length of
your sudo timeout, which I believe is 5 minutes by default.

On Thu, Jul 25, 2013 at 5:19 PM, Andrew Sharp asharp@okta.com wrote:

Hi,

I'm writing a cookbook to set up a development environment on OS X. This
cookbook installs packages via Homebrew as well as .dmg packages. I am
using the homebrew cookbookhttps://github.com/opscode-cookbooks/homebrew
for the homebrew packages, and the dmg cookbookhttps://github.com/opscode-cookbooks/dmg for
the .dmg packages.

I would like the script to run without any user input. Since the .dmg
packages require root permissions, they stop the script for the user to
enter their password. This could be alleviated by running the script with
sudo. However, Homebrew requires that it be run as non-root, so I cannot
run the script with sudo.

Any suggestions?

Thanks,

Andrew

6

Yes Ranjib you just made my day. Thank you.

On Thu, Jul 25, 2013 at 2:43 PM, JD Harrington psi@y0ru.net wrote:

I'm saying run chef as your user. Just sudo at some point before, like a
bootstrap script that also installs chef or a small wrapper, to modify
/etc/sudoers. Assuming you don't want to leave passwordless ssh around, you
can change it back with a recipe at the end of the run.

Ranjib's suggestion might be better, though. That configuration wasn't in
the homebrew cookbook last time I used it!

On Thu, Jul 25, 2013 at 5:35 PM, Andrew Sharp asharp@okta.com wrote:

Thanks, the passwordless sudo idea might be the best option. But what
about the Homebrew problem? If I called the Chef script with sudo, Homebrew
would deliver an error. It won't be run as root.

On Thu, Jul 25, 2013 at 2:32 PM, JD Harrington psi@y0ru.net wrote:

You can either enable passwordless sudo by modifying /etc/sudoers (at
least for the life of the chef run) or sudo once before running chef, which
will allow you to continue to sudo without a password for the length of
your sudo timeout, which I believe is 5 minutes by default.

On Thu, Jul 25, 2013 at 5:19 PM, Andrew Sharp asharp@okta.com wrote:

Hi,

I'm writing a cookbook to set up a development environment on OS X.
This cookbook installs packages via Homebrew as well as .dmg packages. I am
using the homebrew cookbookhttps://github.com/opscode-cookbooks/homebrew
for the homebrew packages, and the dmg cookbookhttps://github.com/opscode-cookbooks/dmg for
the .dmg packages.

I would like the script to run without any user input. Since the .dmg
packages require root permissions, they stop the script for the user to
enter their password. This could be alleviated by running the script with
sudo. However, Homebrew requires that it be run as non-root, so I cannot
run the script with sudo.

Any suggestions?

Thanks,

Andrew