Capistrano using sudo even with "set :use_sudo, false"

C

2

7

I do not wish to use sudo for any of my remotely executed commands via Capistrano. Specifically, when I run cap deploy:setup, I'm asked for my sudo password during the first mkdir command. I added set :use_sudo, false to my deploy.rb file, but this did not make a difference.

I started with a fairly complete deploy.rb file, but whittled it down once I started having issues. Here is my minimal version that still shows use_sudo not being respected:

# App Definitions

set :domain, '[server-ip]'
role :app, domain
role :web, domain
role :db, domain, :primary => true

set :user, "my_app"
set :use_sudo, false

task :sudo_test do
  run "#{try_sudo} whoami"
end

running cap sudo_test results in me being prompted for my sudo password. What am I missing here (besides the hair I've already pulled out)?

Google Findings

https://groups.google.com/forum/?fromgroups#!topic/capistrano/QNYnvW8obrg

A thread with someone having a similar issue. No conclusion/resolution noted in the thread.

Corotto answered 25/5, 2012 at 21:23 Comment(7)

what is that #{try_sudo} bit? what if you take it out? – Filagree 25/5, 2012 at 21:28

#{try_sudo} should sudoize the command if :use_sudo is set to false. I include it in sudo_test because the capistrano rails tasks likely use it as well, and is likely where the problem stems from. – Corotto 25/5, 2012 at 21:38

We use 'sudo -i <cmd>' in our deploy.rb file. – Birnbaum 26/5, 2012 at 2:49

and this too: sudo 'aptitude install -y rsync' – Birnbaum 26/5, 2012 at 2:51

As mentioned above, the initial reason for the post is that cap deploy:setup is trying to use sudo when I don't want it to. cap deploy:setup is a pre-baked recipe; I'm not looking to modify it. Rather, I need to determine why the option :use_sudo isn't working. – Corotto 27/5, 2012 at 16:31

Are you sure it's prompting for your sudo password rather than your SSH password? I tried your setup and it's prompting for my SSH password. – Cheesewood 4/6, 2012 at 21:59

@JeroenRosenberg You are seeing that because you haven't set up ssh key authentication. Mine is related to sudo. – Corotto 7/6, 2012 at 0:51

C

5

Apparently, it is not possible to disable sudo functionality with certain capistrano tasks. The assumption is that the unprivileged user on the server should not be able to carry out certain tasks.

The command in question is mkdir. I'd argue that an unprivileged user should be able to run this command if the parent folder is one that they have permission to do so for. I'd also argue that the user may in fact be a privileged user, such as root. Best practice? Not necessarily. Within the realm of reason for certain deployments, yes.

Here is the link to the response to my original question:

https://github.com/capistrano/capistrano/issues/211#issuecomment-7667467

Corotto answered 13/8, 2012 at 16:53 Comment(1)

:use_sudo, false worked for me with mkdir (using deploy:setup) – Penley 9/7, 2013 at 4:20

N

12

For anyone else who runs into this issue and is a fool like me. Make sure you arn't quoting false. I had:

set :use_sudo, "false"

and when I switched it to

set :use_sudo, false

most things started working the way I expected. As YWCA Hello points out there are still commands that ignore the use_sudo setting. However, don't forget to set it correctly.

Nirvana answered 8/3, 2013 at 23:32 Comment(1)

As an explanation (without reading the relevant part of the capistrano code): "false" is a true-ish value in ruby. Only nil and false are false-ish. Any other value, incl. 0, "", [], are considered true. So setting :use_sudo to "false" is the same as setting :use_sudo to true. – Monocot 22/4, 2014 at 12:31

C

5