I've been meaning to post this for a while, but never got around to it.

Provision doesn't let you run any commands as root, which is probably a good idea, but doing that it prevents root from running Drush alltogether.
As root drush version and more importantly drush selfupdate don't work. I first have to move the provision folder somewhere else and then put it back afterwards. That's quite a pain.

I don't know how easy/hard this would be, but it seems we should be able to check if the command contains "provision" (and maybe "hosting"?) and then exit.

CommentFileSizeAuthor
#6 1440646-root-check-5.patch1.66 KBmig5
#4 1440646-root-check-4.patch2.8 KBcafuego
#3 provision-root.patch634 byteststoeckler
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Anonymous’s picture

Anonymous (not verified) CreditAttribution: Anonymous commented

I'd be curious to know why running drush as root is absolutely necessary? It's certainly not a good idea. We've always considered this a feature as opposed to a bug. (FYI this came up before here: #799804: No sandwiches :-( Provision prevents drush make-me-a-sandwich example from running)

Anonymous’s picture

Anonymous (not verified) CreditAttribution: Anonymous commented

On the other hand, I don't disagree that if running drush as the root user, the error message is probably baffling, potentially even to users who don't know what provision is.

If Drush itself doesn't provide any such safeguard, we probably shouldn't either, or fail only on provision/hostmaster/hosting commands as you suggest.

tstoeckler’s picture

tstoeckler
he/him
Primary language German
Location Essen, Germany
CreditAttribution: tstoeckler commented
Status: Active » Needs review
FileSize
provision-root.patch634 bytes

Here's a patch for this. It checks for 'provision' in the command string.
There should probably be a similar check in hosting.drush.inc, but I guess that should be its own issue. If this approach is deemed good for Provision, I'll roll such a patch in the Hosting queue.

Now will go on to selfupdate to 5.0. :)

cafuego’s picture

cafuego CreditAttribution: cafuego commented
FileSize
1440646-root-check-4.patch2.8 KB

I refer you to #349923: drush_invoke : a flexible API for hooking into any and all drush calls. by none other than one of the provision maintainers ;-)

Attached patch synergistically leverages hook_drush_command_validate() to provide a user id check for all functions documented at the top of provision.drush.inc.

anarcat’s picture

anarcat CreditAttribution: anarcat commented
Status: Needs review » Needs work

I like this, but it seems too verbose.

Shouldn't we instead have a _init() hook that looks at the command name?

Anonymous’s picture

Anonymous (not verified) CreditAttribution: Anonymous commented
Status: Needs work » Needs review
FileSize
1440646-root-check-5.patch1.66 KB

How about this?

We already had an init hook checking system load. I turned that into a private function, introduced a new one for checking the user/command, and made the init hook call both of these.

anarcat’s picture

anarcat CreditAttribution: anarcat commented
Status: Needs review » Reviewed & tested by the community

That makes a lot of sense, please push.

Steven Jones’s picture

Steven Jones CreditAttribution: Steven Jones commented
Version: 7.x-2.x-dev » 6.x-2.x-dev
Status: Reviewed & tested by the community » Fixed

Looks good, pushed to 6.x-1.x and 6.x-2.x. Thanks all!

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

  • Commit 6d68f73 on dev-drupal-8, 6.x-2.x, dev-ssl-ip-allocation-refactor, dev-1205458-move_sites_out_of_platforms, 7.x-3.x, dev-subdir-multiserver, 6.x-2.x-backports, dev-helmo-3.x authored by mig5, committed by Steven Jones: 
    Issue #1440646 by tstoeckler, cafuego, mig5: Make Drush be runnable as...