On Thu, Apr 24, 2014 at 07:13:45PM -0500, Dustin C. Hatch wrote:
> I have been struggling to get my hardened systems managed by Ansible for
> quite some time now. I have almost everything working well now, except
> service control. It seems like the run_init stuff in OpenRC behaves
> strangely when /sbin/rc-service is called via exec(),
> stdin/stdout/stderr are connected to pipes, and the whole thing is run
> through sudo. I suspect it has something to do with the way run_init
> tries to prompt for credentials (even though I have that "disabled").
[...]
> p = subprocess.Popen(['/sbin/rc-service', 'nfsmount', 'restart'],
> stdin=subprocess.PIPE,
> stdout=subprocess.PIPE,
> stderr=subprocess.PIPE)
> o, e = p.communicate()
> print('exitcode: {}'.format(p.returncode))
> print('stdout: {}'.format(o))
> print('stderr: {}'.format(e))
Try calling rc-service through run_init, so something like
#v+
p = subprocess.Popen(['/sbin/run_init', '/sbin/rc-service', 'nfsmount',
'restart']...)
#v-
[...]
> As you can see, this happens even when SELinux is not enforcing, so I
> don't think it is policy related. I wonder if there is some way to stop
> run_init from trying to prompt for authentication altogether, especially
> when stdin/stdout/stderr is not a tty.
>
> Any thoughts or pointers would be appreciated.
There's some magic involved, see my small write-up at
http://blog.siphos.be/2013/04/not-needing-run_init-for-password-less-service-management/
Wkr,
Sven Vermeulen
