def open(self, argv, command_info):
try:
conv_timeout = 120 # in seconds
sudo.log_info("Please provide your reason "
"for executing {}".format(argv))
# We ask two questions, the second is not visible on screen,
# so the user can hide a hidden message in case of criminals are
# forcing him for running the command.
# You can either specify the arguments in strict order (timeout
# being optional), or use named arguments.
message1 = sudo.ConvMessage(sudo.CONV.PROMPT_ECHO_ON, "Reason: ",
conv_timeout)
message2 = sudo.ConvMessage(msg="Secret reason: ",
timeout=conv_timeout,
msg_type=sudo.CONV.PROMPT_MASK)
reply1, reply2 = sudo.conv(message1,
message2,
on_suspend=self.on_conversation_suspend,
on_resume=self.on_conversation_resume)
with open(self._log_file_path(), "a") as file:
print("Executed", ' '.join(argv), file=file)
print("Reason:", reply1, file=file)
print("Hidden reason:", reply2, file=file)
except sudo.ConversationInterrupted:
sudo.log_error("You did not answer in time")
return sudo.RC.REJECT
def close(self, exit_status: int, error: int) -> None:
if error == 0:
sudo.log_info("The command returned with exit_status {}".format(
exit_status))
else:
error_name = errno.errorcode.get(error, "???")
sudo.log_error(
"Failed to execute command, execve syscall returned "
"{} ({})".format(error, error_name))
def check_policy(self, argv: Tuple[str, ...], env_add: Tuple[str, ...]):
cmd = argv[0]
# Example for a simple reject:
if not self._is_command_allowed(cmd):
sudo.log_error("You are not allowed to run this command!")
return sudo.RC_REJECT
# The environment the command will be executed with (we allow any here)
user_env_out = sudo.options_from_dict(self.user_env) + env_add
try:
command_info_out = sudo.options_from_dict({
"command": self._find_on_path(cmd), # Absolute path of command
"runas_uid": self._runas_uid(), # The user id
"runas_gid": self._runas_gid(), # The group id
})
except SudoPluginError as error:
sudo.log_error(str(error))
return sudo.RC_ERROR
return (sudo.RC_ACCEPT, command_info_out, argv, user_env_out)