Merge pull request rancher-sandbox#5850 from jandubois/sudo

Don't prompt for sudo password when not required
rak-phillip · Nov 1, 2023 · d913ac2 · d913ac2
2 parents 4108efe + 42d0673
commit d913ac2
Show file tree

Hide file tree

Showing 6 changed files with 59 additions and 6 deletions.
diff --git a/.github/actions/spelling/allow.txt b/.github/actions/spelling/allow.txt
@@ -1,6 +1,7 @@
 emoji
 github
 https
+passwordless
 ssh
 ubuntu
 workarounds
diff --git a/bats/tests/helpers/defaults.bash b/bats/tests/helpers/defaults.bash
@@ -110,6 +110,21 @@ if using_networking_tunnel && ! is_windows; then
     fatal "RD_USE_NETWORKING_TUNNEL only works on Windows"
 fi
 
+########################################################################
+: "${RD_USE_SOCKET_VMNET:=false}"
+
+using_socket_vmnet() {
+    is_true "$RD_USE_SOCKET_VMNET"
+}
+
+if using_socket_vmnet && ! is_macos; then
+    fatal "RD_USE_SOCKET_VMNET only works on macOS"
+fi
+
+if using_socket_vmnet && sudo_needs_password; then
+    fatal "RD_USE_SOCKET_VMNET requires passwordless sudo"
+fi
+
 ########################################################################
 if ! is_unix && [ -n "${RD_MOUNT_TYPE:-}" ]; then
     fatal "RD_MOUNT_TYPE only works on Linux and macOS"

diff --git a/bats/tests/helpers/info.bash b/bats/tests/helpers/info.bash
@@ -28,6 +28,7 @@ show_info() { # @test
         fi
         printf "$format" "Using image allow list:" "$(bool using_image_allow_list)"
         if is_macos; then
+            printf "$format" "Using socket_vmnet:" "$(bool using_socket_vmnet)"
             printf "$format" "Using VZ emulation:" "$(bool using_vz_emulation)"
         fi
         if is_windows; then

diff --git a/bats/tests/helpers/os.bash b/bats/tests/helpers/os.bash
@@ -74,3 +74,9 @@ needs_port() {
         fi
     fi
 }
+
+sudo_needs_password() {
+    # Check if we can run /usr/bin/true (or /bin/true) without requiring a password
+    run sudo --non-interactive --reset-timestamp true
+    ((status != 0))
+}
diff --git a/bats/tests/helpers/vm.bash b/bats/tests/helpers/vm.bash
@@ -88,12 +88,18 @@ start_container_engine() {
         --application.updater.enabled=false
         --kubernetes.enabled=false
     )
+    local admin_access=false
+
     if [ -n "$RD_CONTAINER_ENGINE" ]; then
         args+=(--container-engine.name="$RD_CONTAINER_ENGINE")
     fi
+    if using_socket_vmnet; then
+        args+=(--experimental.virtual-machine.socket-vmnet)
+        admin_access=true
+    fi
     if is_unix; then
         args+=(
-            --application.admin-access=false
+            --application.admin-access="$admin_access"
             --application.path-management-strategy rcfiles
             --virtual-machine.memory-in-gb 6
             --experimental.virtual-machine.mount.type="$RD_MOUNT_TYPE"

diff --git a/pkg/rancher-desktop/backend/lima.ts b/pkg/rancher-desktop/backend/lima.ts
@@ -1064,11 +1064,15 @@ export default class LimaBackend extends events.EventEmitter implements VMBacken
       return true;
     }
 
-    const allowed = await this.progressTracker.action(
-      'Expecting user permission to continue',
-      10,
-      this.showSudoReason(explanations));
+    const requirePassword = await this.sudoRequiresPassword();
+    let allowed = true;
 
+    if (requirePassword) {
+      allowed = await this.progressTracker.action(
+        'Expecting user permission to continue',
+        10,
+        this.showSudoReason(explanations));
+    }
     if (!allowed) {
       this.#adminAccess = false;
 
@@ -1081,7 +1085,12 @@ export default class LimaBackend extends events.EventEmitter implements VMBacken
       throw new Error(`Can't execute commands ${ singleCommand } because there's a single-quote in them.`);
     }
     try {
-      await this.sudoExec(`/bin/sh -xec '${ singleCommand }'`);
+      if (requirePassword) {
+        await this.sudoExec(`/bin/sh -xec '${ singleCommand }'`);
+      } else {
+        await childProcess.spawnFile('sudo', ['--non-interactive', '/bin/sh', '-xec', singleCommand],
+          { stdio: ['ignore', 'pipe', 'pipe'] });
+      }
     } catch (err) {
       if (err instanceof Error && err.message === 'User did not grant permission.') {
         this.#adminAccess = false;
@@ -1379,6 +1388,21 @@ export default class LimaBackend extends events.EventEmitter implements VMBacken
     return path;
   }
 
+  protected async sudoRequiresPassword() {
+    try {
+      // Check if we can run /usr/bin/true (or /bin/true) without requiring a password
+      await childProcess.spawnFile('sudo', ['--non-interactive', '--reset-timestamp', 'true'],
+        { stdio: ['ignore', 'pipe', 'pipe'] });
+      console.debug("sudo --non-interactive didn't throw an error, so assume we can do passwordless sudo");
+
+      return false;
+    } catch (err: any) {
+      console.debug(`sudo --non-interactive threw an error, so assume it needs a password: ${ JSON.stringify(err) }`);
+
+      return true;
+    }
+  }
+
   /**
    * Use the sudo-prompt library to run the script as root
    * @param command: Path to an executable file