From 3199655163910f3194a5260ca5e2d9bd1515bc5d Mon Sep 17 00:00:00 2001 From: Gerald Pinder Date: Sat, 20 Sep 2025 23:22:33 -0400 Subject: [PATCH] chore(security): Try using pkexec instead of sudo --- process/drivers/bootc_driver.rs | 5 +-- process/drivers/podman_driver.rs | 12 ------ utils/src/macros.rs | 73 ++------------------------------ 3 files changed, 6 insertions(+), 84 deletions(-) diff --git a/process/drivers/bootc_driver.rs b/process/drivers/bootc_driver.rs index 5a9739ca..3cecd2d8 100644 --- a/process/drivers/bootc_driver.rs +++ b/process/drivers/bootc_driver.rs @@ -19,7 +19,7 @@ pub struct BootcDriver; impl BootDriver for BootcDriver { fn status() -> Result> { let output = { - let c = sudo_cmd!(prompt = SUDO_PROMPT, "bootc", "status", "--format=json"); + let c = sudo_cmd!("bootc", "status", "--format=json"); trace!("{c:?}"); c } @@ -47,7 +47,6 @@ impl BootDriver for BootcDriver { fn switch(opts: SwitchOpts) -> Result<()> { let status = { let c = sudo_cmd!( - prompt = SUDO_PROMPT, "bootc", "switch", "--transport=containers-storage", @@ -71,7 +70,7 @@ impl BootDriver for BootcDriver { fn upgrade(opts: SwitchOpts) -> Result<()> { let status = { - let c = sudo_cmd!(prompt = SUDO_PROMPT, "bootc", "upgrade"); + let c = sudo_cmd!("bootc", "upgrade"); trace!("{c:?}"); c } diff --git a/process/drivers/podman_driver.rs b/process/drivers/podman_driver.rs index cb31c6e2..c987c12a 100644 --- a/process/drivers/podman_driver.rs +++ b/process/drivers/podman_driver.rs @@ -61,7 +61,6 @@ impl PodmanDriver { let image = image.whole(); let status = { let c = sudo_cmd!( - prompt = SUDO_PROMPT, "podman", "image", "scp", @@ -120,7 +119,6 @@ impl BuildDriver for PodmanDriver { .wrap_err("Failed to create temporary directory for secrets")?; let command = sudo_cmd!( - prompt = SUDO_PROMPT, sudo_check = opts.privileged, "podman", "build", @@ -175,7 +173,6 @@ impl BuildDriver for PodmanDriver { let dest_image_str = opts.dest_image.to_string(); let mut command = sudo_cmd!( - prompt = SUDO_PROMPT, sudo_check = opts.privileged, "podman", "tag", @@ -200,7 +197,6 @@ impl BuildDriver for PodmanDriver { let image_str = opts.image.to_string(); let command = sudo_cmd!( - prompt = SUDO_PROMPT, sudo_check = opts.privileged, "podman", "push", @@ -290,7 +286,6 @@ impl ContainerMountDriver for PodmanDriver { fn mount_container(opts: ContainerOpts) -> Result { let output = { let c = sudo_cmd!( - prompt = SUDO_PROMPT, sudo_check = opts.privileged, "podman", "mount", @@ -314,7 +309,6 @@ impl ContainerMountDriver for PodmanDriver { fn unmount_container(opts: ContainerOpts) -> Result<()> { let output = { let c = sudo_cmd!( - prompt = SUDO_PROMPT, sudo_check = opts.privileged, "podman", "unmount", @@ -336,7 +330,6 @@ impl ContainerMountDriver for PodmanDriver { fn remove_volume(opts: VolumeOpts) -> Result<()> { let output = { let c = sudo_cmd!( - prompt = SUDO_PROMPT, sudo_check = opts.privileged, "podman", "volume", @@ -401,7 +394,6 @@ impl RunDriver for PodmanDriver { let output = { let c = sudo_cmd!( - prompt = SUDO_PROMPT, sudo_check = opts.privileged, "podman", "create", @@ -428,7 +420,6 @@ impl RunDriver for PodmanDriver { let output = { let c = sudo_cmd!( - prompt = SUDO_PROMPT, sudo_check = opts.privileged, "podman", "rm", @@ -452,7 +443,6 @@ impl RunDriver for PodmanDriver { let output = { let c = sudo_cmd!( - prompt = SUDO_PROMPT, sudo_check = opts.privileged, "podman", "rmi", @@ -482,7 +472,6 @@ impl RunDriver for PodmanDriver { let output = { let c = sudo_cmd!( - prompt = SUDO_PROMPT, sudo_check = privileged, "podman", "images", @@ -515,7 +504,6 @@ impl RunDriver for PodmanDriver { fn podman_run(opts: RunOpts, cid_file: &Path) -> Command { let command = sudo_cmd!( - prompt = SUDO_PROMPT, sudo_check = opts.privileged, "podman", "run", diff --git a/utils/src/macros.rs b/utils/src/macros.rs index f327a5b9..4adbc148 100644 --- a/utils/src/macros.rs +++ b/utils/src/macros.rs @@ -83,7 +83,6 @@ macro_rules! impl_de_fromstr { #[macro_export] macro_rules! sudo_cmd { ( - prompt = $prompt:expr, sudo_check = $sudo_check:expr, $command:expr, $($rest:tt)* @@ -93,44 +92,12 @@ macro_rules! sudo_cmd { ::comlexr::cmd!( if _use_sudo { - "sudo" + "pkexec" } else { $command }, - if _use_sudo && $crate::has_env_var($crate::constants::SUDO_ASKPASS) => [ - "-A", - "-p", - $prompt, - ], - if _use_sudo => [ - "--preserve-env", - $command, - ], - $($rest)* - ) - } - }; - ( - sudo_check = $sudo_check:expr, - $command:expr, - $($rest:tt)* - ) => { - { - let _use_sudo = ($sudo_check) && !$crate::running_as_root(); - - ::comlexr::cmd!( - if _use_sudo { - "sudo" - } else { - $command - }, - if _use_sudo && $crate::has_env_var($crate::constants::SUDO_ASKPASS) => [ - "-A", - "-p", - $crate::constants::SUDO_PROMPT, - ], if _use_sudo => [ - "--preserve-env", + "--keep-cwd", $command, ], $($rest)* @@ -138,7 +105,6 @@ macro_rules! sudo_cmd { } }; ( - prompt = $prompt:expr, $command:expr, $($rest:tt)* ) => { @@ -147,43 +113,12 @@ macro_rules! sudo_cmd { ::comlexr::cmd!( if _use_sudo { - "sudo" + "pkexec" } else { $command }, - if _use_sudo && $crate::has_env_var($crate::constants::SUDO_ASKPASS) => [ - "-A", - "-p", - $prompt, - ], - if _use_sudo => [ - "--preserve-env", - $command, - ], - $($rest)* - ) - } - }; - ( - $command:expr, - $($rest:tt)* - ) => { - { - let _use_sudo = !$crate::running_as_root(); - - ::comlexr::cmd!( - if _use_sudo { - "sudo" - } else { - $command - }, - if _use_sudo && $crate::has_env_var($crate::constants::SUDO_ASKPASS) => [ - "-A", - "-p", - $crate::constants::SUDO_PROMPT, - ], if _use_sudo => [ - "--preserve-env", + "--keep-cwd", $command, ], $($rest)*