Feel free to override the "run" method after mixin to skip logging
commands with sensitive information in the command string. From
invocation.rb:
# Execute the given command on all servers that are the
target of the
# current task. If a block is given, it is invoked for all
output
# generated by the command, and should accept three
parameters: the SSH
# channel (which may be used to send data back to the remote
process),
# the stream identifier (<tt>:err</tt> for stderr, and
<tt>:out</tt> for
# stdout), and the data that was received.
def run(cmd, options={}, &block)
block ||= self.class.default_io_proc
logger.debug "executing #{cmd.strip.inspect}"
options = add_default_command_options(options)
execute_on_servers(options) do |servers|
targets = servers.map { |s| sessions[s] }
Command.process(cmd, targets, options.merge(:logger =>
logger), &block)
end
end
This gets mixed in to Capistrano::Configuration, so I'm guessing you
can just go in an override it there after it's included
Actions::Invocation, e.g.:
module Capistrano
class Configuration
def run(cmd, options={}, &block)
block ||= self.class.default_io_proc
logger.debug "executing #{cmd.strip.inspect}" unless cmd
=~ /mysql/ # Or whatever other logic you want here
options = add_default_command_options(options)
execute_on_servers(options) do |servers|
targets = servers.map { |s| sessions[s] }
Command.process(cmd, targets, options.merge(:logger =>
logger), &block)
end
end
end
end
On Apr 1, 2008, at 10:38 AM, Andrew McClain wrote:
>
> Sean,
>
> I'm already prompting the user for a password using password_prompt.
>
> The issue isn't showing the password when the user _enters_ it, the
> issue is that the password shows up in the capistrano log when the
> command is executed.
>
> i.e.
>>> pass = Capistrano::CLI.password_prompt('secret password:')
>>> run "mysql -p #{pass}"
>
> secret password:
> {USER ENTERS FOO}
>
> * executing "mysql -p FOO" <--- there it is in plaintext!
>
> I'm wondering how capistrano manages to get around this for sudo
> passwords, which look like:
> * executing "sudo -p 'sudo password: ' some_command" <--- obfuscated
>
>
> On Apr 1, 6:18 am, Sean Cribbs <[EMAIL PROTECTED]> wrote:
>> Andrew,
>>
>> The -p option on sudo provides the prompt for the password, not the
>> actual password. This helps Capistrano tell when sudo is prompting
>> for
>> a password. If you don't want the password to be echoed to the
>> screen,
>> require the cap user to type in the password on starting your
>> recipe or
>> when necessary to execute any given command.
>>
>> Sean Cribbs
>>
>> Andrew McClain wrote:
>>> There are a couple of times in my deploy scripts where I need to ask
>>> for passwords; However, in the cap log output, I see those passwords
>>> in plain text.
>>
>>> I've been poking around the code to see how Cap displays " *
>>> executing
>>> "sudo -p 'sudo password: '...", and all I can find is the
>>> sudo_prompt
>>> method which looks like it displays the obfuscated 'sudo password: '
>>> when it can't find the :sudo_prompt symbol...
>>
>>> Can anyone explain how this mechanism works? Or, an alternate method
>>> from preventing my password from showing up in my terminal history?
> >
--~--~---------~--~----~------------~-------~--~----~
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at http://groups.google.com/group/capistrano
-~----------~----~----~----~------~----~------~--~---
