Don't use sudo for everything

We are running as root, and will rely on dropping privs via systemd rather than sudo
2025-12-18 21:54:05 +08:00 · 2018-06-27 02:07:49 -07:00
parent cf4bd7e36e
commit e957fc3bf0
3 changed files with 1 additions and 17 deletions
--- a/tljh/jupyterhub_config.py
+++ b/tljh/jupyterhub_config.py
@@ -27,6 +27,5 @@ c.JupyterHub.spawner_class = CustomSpawner
 c.ConfigurableHTTPProxy.should_start = False

 c.SystemdSpawner.extra_paths = [os.path.join(USER_ENV_PREFIX, 'bin')]
-c.SystemdSpawner.use_sudo = True

 configurer.apply_yaml_config('/etc/jupyterhub/jupyterhub.yaml', c)
--- a/tljh/systemd.py
+++ b/tljh/systemd.py
@@ -1,11 +1,6 @@
 """
 Wraps systemctl to install, uninstall, start & stop systemd services.

-We use sudo + subprocess calls for everything. This works when we
-are running as root & as normal user (with arbitrary sudo privileges).
-Arbitrary sudo privileges suck, but are better than running the whole
-process as root.
-
 If we use a debian package instead, we can get rid of all this code.
 """
 import subprocess
@@ -19,7 +14,6 @@ def reload_daemon():
    Makes systemd discover new units.
    """
    subprocess.run([
-        'sudo',
        'systemctl',
        'daemon-reload'
    ], check=True)
@@ -30,7 +24,6 @@ def install_unit(name, unit, path='/etc/systemd/system'):
    Install unit wih given name
    """
    subprocess.run([
-        'sudo',
        'tee',
        os.path.join(path, name)
    ], input=unit.encode('utf-8'), check=True)
@@ -41,7 +34,6 @@ def uninstall_unit(name, path='/etc/systemd/system'):
    Uninstall unit with given name
    """
    subprocess.run([
-        'sudo',
        'rm',
        os.path.join(path, name)
    ], check=True)
@@ -52,7 +44,6 @@ def start_service(name):
    Start service with given name.
    """
    subprocess.run([
-        'sudo',
        'systemctl',
        'start',
        name
--- a/tljh/user.py
+++ b/tljh/user.py
@@ -1,7 +1,7 @@
 """
 User management for tljh.

-Supports user creation, deletion & sudo
+Supports minimal user & group management
 """
 import pwd
 import grp
@@ -22,7 +22,6 @@ def ensure_user(username):
        pass

    subprocess.check_call([
-        'sudo',
        'adduser',
        '--disabled-password',
        '--force-badname',
@@ -42,7 +41,6 @@ def remove_user(username):
        return

    subprocess.check_call([
-        'sudo',
        'deluser',
        '--quiet',
        username
@@ -61,7 +59,6 @@ def ensure_group(groupname):
        pass

    subprocess.check_call([
-        'sudo',
        'addgroup',
        '--quiet',
        groupname
@@ -79,7 +76,6 @@ def remove_group(groupname):
        return

    subprocess.check_call([
-        'sudo',
        'delgroup',
        '--quiet',
        groupname
@@ -97,7 +93,6 @@ def ensure_user_group(username, groupname):
        return

    subprocess.check_call([
-        'sudo',
        'usermod',
        '--append',
        '--groups',
@@ -115,7 +110,6 @@ def remove_user_group(username, groupname):
        return

    subprocess.check_call([
-        'sudo',
        'deluser',
        '--quiet',
        username,