I'm a new user in Ajenti use. But when I install it (Version: aj==2.1.37, python==3.7.3) fist time, I get same issues like these and not found information for correct solutions.
I looked at the source code and found some bugs and information gaps on this topic.
1. The user elevation is using the sudo command. The aj documentation does not include the required sudo settings. The problem is that the user running aj does not have permission to run sudo.
First: Insert into the sudoers file the below line (in Debian 10 aj run with nobody user):
"nobody ALL=(ALL) /bin/ls /tmp"
Second: The sudo default authentication method is authenticate the invoking user's credentials not the target user credentials. Insert next line to sudoers after last "Defaults" line:
"Defaults:nobody targetpw"
Third: If the user than want elevated rights and not permission the directory (on Debian 10 is "/root"), the authentication also failed. Maybe better way is setting an existing directory name and set correct rights this directory for users we want set elevated rights. I chaneged the sudo command in source code.
2. Python 3.5 and above some Popen behaviour changed. I expanded the code in ajenti-core/aj/auth.py:
Hi,
I'm a new user in Ajenti use. But when I install it (Version: aj==2.1.37, python==3.7.3) fist time, I get same issues like these and not found information for correct solutions.
I looked at the source code and found some bugs and information gaps on this topic.
1. The user elevation is using the sudo command. The aj documentation does not include the required sudo settings. The problem is that the user running aj does not have permission to run sudo.
First: Insert into the sudoers file the below line (in Debian 10 aj run with nobody user):
"nobody ALL=(ALL) /bin/ls /tmp"
Second: The sudo default authentication method is authenticate the invoking user's credentials not the target user credentials. Insert next line to sudoers after last "Defaults" line:
"Defaults:nobody targetpw"
Third: If the user than want elevated rights and not permission the directory (on Debian 10 is "/root"), the authentication also failed. Maybe better way is setting an existing directory name and set correct rights this directory for users we want set elevated rights. I chaneged the sudo command in source code.
2. Python 3.5 and above some Popen behaviour changed. I expanded the code in ajenti-core/aj/auth.py:
class AuthenticationService():
...
def check_sudo_password(self, username, password):
if not aj.config.data['auth'].get('allow_sudo',False):
return False
sudo = subprocess.Popen(
['sudo', '-S', '-k', '-u', username, '--', 'ls', '/tmp'],
stdin=subprocess.PIPE,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
)
o, e = sudo.communicate(input=(password + '\n').encode('utf-8'))
if sudo.returncode != 0:
raise SudoError((o + e).decode('utf-8').splitlines()[-1].strip())
return True
...