search

factoriommo / factorio-multienv-ctl

Manager for multiple factorio environments on the same machine. Based on https://github.com/Bisa/factorio-init.
MIT License
18 stars 6 forks source link

User account credential caching #11

Closed mattmahn closed 6 years ago

mattmahn commented 7 years ago

Being prompted to enter the factorio user's password several times in a row is weird, and made me think something was broken. I think if as_user does sudo -u $USERNAME the user will only be prompted for the user password once while the credential is cached (by default, 5 minutes). I think it my also be helpful to explicitly say the password prompt is for $USER.

psihius commented 7 years ago

@mettmahn you mean the sudo asks for password? Could you elaborate a bit? I haven't encountered this before.

maikelwever commented 7 years ago

If the script is not run as root or factorio user, the following line prompts for a password:

https://github.com/factoriommo/factorio-multienv-ctl/blob/master/factorio#L79

As a workaround you can run for example sudo factorio status for the time being. The actual server will be run as factorio user and not as root.

psihius commented 7 years ago

Ah, okay. This is launched by hand, right? Not via systemd services?

maikelwever commented 7 years ago

AFAIK commands like new-game need to su into the factorio user, and the start/stop commands call systemctl, so you need the appropriate privileges or it will ask you to identify in order to get those privileges.

mattmahn commented 7 years ago

Yes, by hand, @psihius

matt@instance-1:/opt/factorio/factorio$ factorio new-game 'some-new-game'
Password: 
Password: 
Password: 
Password: 
Password: 
Password: 
Password:

As you can see it prompted for the factorio user's password 7 times, which is rather excessive.

@maikelwever Yeah, I see that. I'm just suggesting the line be changed to sudo -u $USERNAME -s /bin/bash "$1" so that—if somebody doesn't run factorio as root or their factorio user—they are not prompted many times to enter the same password. By default, sudo will cache credentials, so in this case I would've been prompted to enter the password once (see passwd_timeout in sudoers(5)).

psihius commented 7 years ago

Well, we can't just rely on sudo because we ourselves use this on debian - we don't have sudo, so either we make sudo a prerequisite, or we need to think what to do about this.

@mattmahn But if you do sudo -u factorio factorio new-game gamename - does it ask for the password multiple times?

maikelwever commented 7 years ago

We can just add sudo to the dependencies, it'll be fine.

psihius commented 7 years ago

@maikelwever or check if sudo is installed and use it when it is. I know some people will not install sudo at all no matter what.

mattmahn commented 7 years ago

@psihius It's actually not prompting for the password at all running that, even after clearing the cache with sudo -k/sudo -K

maikelwever commented 7 years ago

@maikelwever or check if sudo is installed and use it when it is. I know some people will not install sudo at all no matter what.

@psihius it that really something we want to care about? Most of those people also hate systemd (which we depend on), and don't install proprietary binaries anyway.

psihius commented 7 years ago

@mattmahn well, probably because factorio is a passwordless non-loginable user, is it @maikelwever ?

@maikelwever well, maybe then just use sudo all the way. Easier solution :)

maikelwever commented 7 years ago

Passwordlessness in sudo must be configured by the user and we don't. Else we would already depend on sudo ;)

@mattmahn's current account is probably passwordless, or he is running your example as root.

mattmahn commented 7 years ago

Well, I did set the password for the factorio user, so I do get prompted when I su factorio.

maikelwever commented 7 years ago

su and sudo are different systems. su logins as the user you 'su' to, so you need to enter that user's password, except if you are already root.

sudo uses a configuration allowing certain users/groups to run sudo. Sudo asks for your users own password, and then becomes root and switches to the given user (or stays root if not given).

You can check the sudo configuration file at /etc/sudoers or using the visudo command.

mattmahn commented 7 years ago

@maikelwever okay, that makes more sense then; I didn't know sudo went to root first. But if I cleared out my (username "matt") cached creds with sudo -k, wouldn't I be prompted for my password again when executing sudo -u factorio blah? Turns out GCP Compute Engine doesn't prompt for passwords (%google-sudoers ALL=(ALL:ALL) NOPASSWD:ALL in /etc/sudoers.d/google_sudoers, and "matt" is a member of google_sudoers).

maikelwever commented 7 years ago

Yep, this is achieved (in both su and sudo's cases) using the setuid bit. For some more technical background check: https://en.wikipedia.org/wiki/Setuid

Your initial suggestion is still valid though to prevent from asking for password multiple times.

psihius commented 6 years ago

@maikelwever could you please find some time, figure what should be done here or close it if nothing needs to be changed? This is a bit out of my league.