search

lambdalisue / vim-suda

🥪 An alternative sudo.vim for Vim and Neovim, limited support sudo in Windows
MIT License
713 stars 27 forks source link

only use arguments on suda#executable if it's equal to "sudo" #60

Closed aarondill closed 6 months ago

aarondill commented 1 year ago

This ensures that the sudo options work correctly, and creates rudimentary support for other commands (such as doas, see #40)

This isn't perfect, but likely the best we can do (see my comment).

This change allows any command which accepts no password, or else a password from stdin to work. Any command set to g:suda#executable will be executed with no further arguments (so the user may need to provide any needed), and will be run, first with an empty stdin, then with the user's provided password as stdin. Further support would likely need to be added on a case-by-case basis and may quickly spiral out of control.

Summary by CodeRabbit

acid-bong commented 1 year ago

Just tested, it doesn't pass the password to doas, and 2 failed attempts it somehow counted as 3

aarondill commented 1 year ago

The password is passed through stdin, but doas doesn't process it. Also, it is called twice, one without stdin, once with (as noted above).

This will only work with doas when the user has the nopass privilege.

aarondill commented 1 year ago

One tool that does work with this change is su - -c (as su accepts input through stdin), though I believe a wrapper would be required to ensure that all arguments passed end up as one after the -c (like the one below)

#!/usr/bin/env sh
exec su - -c "$*"
acid-bong commented 1 year ago

The difference is that su asks for root's password, not your user's, like sudo and doas do

aarondill commented 1 year ago

The difference is that su asks for root's password, not your user's, like sudo and doas do

This is true, but as I've already said, unless you can discover a way to pass the password to doas, we can only support any tools that accept the password through stdin (like, sudo and su)

lambdalisue commented 6 months ago

My apologies for the delay. I completely overlooked this matter. Could you please resolve the conflicts first so we can proceed with the review? @aarondill

coderabbitai[bot] commented 6 months ago

Walkthrough

This update introduces a more sophisticated approach to command construction and execution in suda.vim. By adding a dedicated function for building commands and refining how passwords are requested, the changes enhance both security and usability. Centralizing shell escaping ensures commands are safely constructed, reducing potential vulnerabilities.

Changes

File(s) Summary
autoload/suda.vim Introduced s:get_command, improved suda#system, centralized shell escaping, and refined password interaction logic.

🐰✨
In the realm of code, where commands are spun,
A rabbit hopped in, a mission begun.
With a leap and a bound, it refined the art,
Of constructing commands, so smart.
"To safety and ease!" it cheerfully sung,
As into the code, its magic it flung.
🌟🐇

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share - [X](https://twitter.com/intent/tweet?text=I%20just%20used%20%40coderabbitai%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20the%20proprietary%20code.%20Check%20it%20out%3A&url=https%3A//coderabbit.ai) - [Mastodon](https://mastodon.social/share?text=I%20just%20used%20%40coderabbitai%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20the%20proprietary%20code.%20Check%20it%20out%3A%20https%3A%2F%2Fcoderabbit.ai) - [Reddit](https://www.reddit.com/submit?title=Great%20tool%20for%20code%20review%20-%20CodeRabbit&text=I%20just%20used%20CodeRabbit%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20proprietary%20code.%20Check%20it%20out%3A%20https%3A//coderabbit.ai) - [LinkedIn](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fcoderabbit.ai&mini=true&title=Great%20tool%20for%20code%20review%20-%20CodeRabbit&summary=I%20just%20used%20CodeRabbit%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20proprietary%20code)
Tips ### Chat There are 3 ways to chat with CodeRabbit: - Review comments: Directly reply to a review comment made by CodeRabbit. Example: - `I pushed a fix in commit .` - `Generate unit-tests for this file.` - `Open a follow-up GitHub issue for this discussion.` - Files and specific lines of code (under the "Files changed" tab): Tag `@coderabbitai` in a new review comment at the desired location with your query. Examples: - `@coderabbitai generate unit tests for this file.` - `@coderabbitai modularize this function.` - PR comments: Tag `@coderabbitai` in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples: - `@coderabbitai generate interesting stats about this repository and render them as a table.` - `@coderabbitai show all the console.log statements in this repository.` - `@coderabbitai read src/utils.ts and generate unit tests.` - `@coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.` Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. ### CodeRabbit Commands (invoked as PR comments) - `@coderabbitai pause` to pause the reviews on a PR. - `@coderabbitai resume` to resume the paused reviews. - `@coderabbitai review` to trigger a review. This is useful when automatic reviews are disabled for the repository. - `@coderabbitai resolve` resolve all the CodeRabbit review comments. - `@coderabbitai help` to get help. Additionally, you can add `@coderabbitai ignore` anywhere in the PR description to prevent this PR from being reviewed. ### CodeRabbit Configration File (`.coderabbit.yaml`) - You can programmatically configure CodeRabbit by adding a `.coderabbit.yaml` file to the root of your repository. - The JSON schema for the configuration file is available [here](https://coderabbit.ai/integrations/coderabbit-overrides.v2.json). - If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: `# yaml-language-server: $schema=https://coderabbit.ai/integrations/coderabbit-overrides.v2.json` ### CodeRabbit Discord Community Join our [Discord Community](https://discord.com/invite/GsXnASn26c) to get help, request features, and share feedback.
aarondill commented 6 months ago

@lambdalisue I've rebased this onto HEAD. I've also introduced a few changes: The checking introduced in https://github.com/lambdalisue/suda.vim/commit/257767d7977414210b6db9df0be39b9789d83978 is only done on 'sudo', since there's no guarantee that the user provided command will ever support not passing a password. Additionally, the user provided command is called the same way either way: user_sudo command with no options.

lambdalisue commented 6 months ago

Thanks a lot 🎉