Skip to content

Remote previsioning incorrectly supplies sudo password. #127

Description

@ciferkey

version 1.0.2.

When trying to provision a server with "Use same credentials for sudo" set to off I get the following logs:

3:37:51 PM preflight Starting server preflight checks.
3:37:51 PM preflight Remote OS kernel: Linux
3:37:51 PM preflight Remote distribution: Ubuntu 26.04 LTS
3:37:51 PM preflight Verified sudo access using explicit sudo password.
3:37:51 PM preflight Remote CPU architecture: x86_64 (using bundle target x86_64)
3:37:51 PM preflight Free disk space on /: 3.9 GiB
3:37:51 PM preflight Available memory: 2913 MiB
3:37:52 PM preflight DNS lookup for api.github.com succeeded.
3:37:52 PM preflight DNS lookup for oauth2.googleapis.com succeeded.
3:37:52 PM preflight DNS lookup for fcm.googleapis.com succeeded.
3:37:52 PM preflight Outbound HTTPS to https://api.github.com succeeded.
3:37:52 PM preflight Outbound HTTPS probe for https://oauth2.googleapis.com failed. Firebase push setup may fail until the server can reach Google OAuth over HTTPS.
3:37:52 PM preflight No existing Secluso server install detected.
3:37:52 PM preflight Port 8000 is free on the server.
3:37:52 PM preflight Reverse proxy mode selected, but no common proxy binary was detected. Make sure something forwards traffic to 127.0.0.1:8000.
3:37:52 PM preflight Skipping public port probe during preflight because reverse proxy mode is selected.
3:37:56 PM preflight bash: line 1: REDACTED: command not found
3:37:56 PM detect REMOTE_HAS_BIN=false
3:37:56 PM detect REMOTE_HAS_UNIT=false
3:37:56 PM detect REMOTE_SERVICE_ACTIVE=false
3:37:56 PM detect REMOTE_SERVER_VERSION=unknown
3:37:56 PM detect REMOTE_PORT_8000_IN_USE=false
3:37:57 PM artifacts Latest immutable release for secluso/secluso: v1.0.2
3:37:59 PM artifacts Verified release bundle v1.0.2 for x86_64 (server=15387144 bytes, updater=15023800 bytes).
3:38:00 PM secrets No service account key provided; deploying without FCM support.
3:38:00 PM sudo Using sudo wrapper: sudo -S -p ''
3:38:00 PM remote bash: line 1: REDACTED: command not found
3:38:00 PM config INSTALL_BIN_DIR=/usr/bin
3:38:00 PM config VERSION_ROOT=/var/lib/secluso/current_version
3:38:00 PM config STATE_DIR=/var/lib/secluso
3:38:00 PM config OWNER_REPO=secluso/secluso
3:38:00 PM config SERVER_UNIT=secluso-server.service
3:38:00 PM config UPDATER_SERVICE=secluso-updater.service
3:38:00 PM config ENABLE_UPDATER=1
3:38:00 PM config OVERWRITE=0
3:38:00 PM config FIRST_INSTALL=1
3:38:00 PM config BIND_ADDRESS=127.0.0.1
3:38:00 PM config LISTEN_PORT=8000
3:38:00 PM config RELEASE_TAG=v1.0.2
3:38:00 PM config GITHUB_TOKEN=
3:38:00 PM config STAGING_DIR=set
3:38:00 PM deps Installing minimal runtime dependencies (apt-get)...
3:38:00 PM remote [sudo: ''] Password:
3:38:05 PM trap Failed at line 84 (exit=1)
3:38:05 PM remote sudo: Authentication failed, try again.
3:38:05 PM remote [sudo: ''] Password:
3:38:05 PM remote sudo: Authentication failed, try again.
3:38:05 PM remote [sudo: ''] Password:
3:38:05 PM remote sudo: maximum 3 incorrect authentication attempts
3:38:05 PM fatal Remote script failed (exit=1).

I think exec_remote_script_streaming in deploy/src-tauri/src/provision_server/ssh.rs is passing the password in a why where it is interpreted as a command instead of being passed to sudo:

// if sudo needs a password and the script uses sudo -s, we send it first
// the script reads sudo_pass from env but some sudo calls may still read stdin
if let Some(pw) = sudo_pw {
let _ = channel.write_all(format!("{pw}\n").as_bytes());
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    Fields

    No fields configured for Bug.

    Projects

    Status
    Todo

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions