/rubysu

Give Ruby objects superuser privileges

Primary LanguageRubyMIT LicenseMIT

Gem VersionBuild Status Maintainability Test Coverage

Ruby Sudo

Give Ruby objects superuser privileges.

Based on dRuby and sudo.

Only tested with MRI.

Usage

Your user must be allowed, in /etc/sudoers, to run ruby and kill commands as root.

A password may be required from the console, depending on the NOPASSWD options in /etc/sudoers.

Spawns a sudo-ed Ruby process running a DRb server. Communication is done via a Unix socket (and, of course, permissions are set to 0600).

No long-running daemons involved, everything is created on demand.

Access control is entirely delegated to sudo.

Application Code

Let's start with a trivial example:

require 'my_gem/my_class'
require 'sudo'

obj   = MyGem::MyClass.new

# Now, create a Sudo::Wrapper object:
sudo  = Sudo::Wrapper.new

# 'mygem/myclass' will be automatically required in the
# sudo DRb server

# Start the sudo-ed Ruby process:
sudo.start!
sudo[obj].my_instance_method
sudo[MyClass].my_class_method

# Call stop! when finished, otherwise, that will be done
# when the `sudo` object gets garbage-collected.
sudo.stop!

A convienient utility for working with sudo is to use the run method and pass it a block. Run will automatically start and stop the ruby sudo process around the block.

require 'fileutils'
require 'sudo'

Sudo::Wrapper.run do |sudo|
  sudo[FileUtils].mkdir_p '/ONLY/ROOT/CAN/DO/THAT'
end
# Sockets and processes are closed automatically when the block exits

Both Sudo::Wrapper.run and Sudo::Wrapper.new take the same named arguments: ruby_opts (default: '' ) and load_gems (default: true).

If you'd like to pass options to the sudo-spawned ruby process, pass them as a string to ruby_opts.

If you'd like to prevent the loading of gems currently loaded from the calling program, pass false to load_gems. This will give your sudo process a unmodifed environment. The only things required via the sudo process are 'drb/drb', 'fileutils', and of course 'sudo'.

Todo

sudo has a -A option to accept password via an external program (maybe graphical): support this feature.

Credits

Author and Copyright

Guido De Rosa (@gderosa).

See LICENSE.

Contributors

Dale Stevens (@voltechs)

Robert M. Koch (@threadmetal)

Wolfgang Teuber (@wteuber)

Other aknowledgements

Thanks to Tony Arcieri and Brian Candler for suggestions on ruby-talk.

Initially developed by G. D. while working at @vemarsas.

Contributing

  1. Fork it ( https://github.com/gderosa/rubysu/fork )
  2. Create your feature branch (git checkout -b my-new-feature)
  3. Commit your changes (git commit -am 'Add some feature')
  4. Push to the branch (git push origin my-new-feature)
  5. Create a new Pull Request