codejail icon indicating copy to clipboard operation
codejail copied to clipboard

Published 20 hours ago verified publisher icon openedx

sudo: no tty present and no askpass program specified

Open jabbalaci opened this issue 12 years ago • 8 comments

Hi,

I followed the installation instructions but I keep getting this error:

SafeExecException: Couldn't execute jailed code: sudo: no tty present and no askpass program specified

Do you have any idea?

Thanks,

Laszlo

jabbalaci avatar Oct 01 '13 14:10 jabbalaci

Laszlo,

Make sure you have edited your sudoers file as instructed in the README.rst, especially the "NOPASSWD" part. If that doesn't help, tell us exactly how you are running CodeJail that produces that error.

--Ned.

On Tue, Oct 1, 2013 at 10:58 AM, Jabba Laci [email protected]:

Hi,

I followed the installation instructions but I keep getting this error:

SafeExecException: Couldn't execute jailed code: sudo: no tty present and no askpass program specified

Do you have any idea?

Thanks,

Laszlo

— Reply to this email directly or view it on GitHubhttps://github.com/edx/codejail/issues/17 .

nedbat avatar Oct 01 '13 15:10 nedbat

Hi Ned,

I tried it in dev. mode. My username is "jabba" and I have this directory structure:

jabba@jabba-VM-server ~/python/secure $ pwd
/home/jabba/python/secure
jabba@jabba-VM-server ~/python/secure $ ls -al
drwxrwxr-x 5 jabba jabba 4096 okt    1 18:00 .
drwx------ 4 jabba jabba 4096 okt    1 16:10 ..
drwxr-xr-x 3 jabba jabba 4096 okt    1 16:51 codejail
drwxrwxr-x 7 jabba jabba 4096 okt    1 16:26 venv
drwxr-xr-x 6 root  root  4096 okt    1 18:00 venv-sandbox

(It's not clear to me why the sandbox env. must be created with "sudo".)

The sandbox user is created as explained in Step 3. The /etc/sudoers.d/01-sandbox file is created:

jabba ALL=(sandbox) SETENV:NOPASSWD:/home/jabba/python/secure/venv-sandbox/bin/python
jabba ALL=(ALL) NOPASSWD:/usr/bin/pkill

If I understand well, the 1st line means this: the user "jabba" can run the command .../python as user "sandbox".

The AppArmor profile is created as seen in Step 5.

Now in /home/jabba/python/secure I activate venv and launch the command nosetests. The result: FAILED (SKIP=1, errors=7, failures=23). The problem is this: sudo: unable to execute /home/jabba/python/secure/venv-sandbox/bin/python: Permission denied

I also tried to launch just .../venv-sandbox/bin/python as the user "sandbox":

[venv] jabba@jabba-VM-server ~/python/secure $ ls -al
total 20
drwxrwxr-x 5 jabba jabba 4096 okt    1 18:00 .
drwx------ 4 jabba jabba 4096 okt    1 16:10 ..
drwxr-xr-x 3 jabba jabba 4096 okt    1 16:51 codejail
drwxrwxr-x 7 jabba jabba 4096 okt    1 16:26 venv
drwxr-xr-x 6 root  root  4096 okt    1 18:00 venv-sandbox
[venv] jabba@jabba-VM-server ~/python/secure $ sudo -u sandbox /home/jabba/python/secure/venv-sandbox/bin/python
sudo: unable to execute /home/jabba/python/secure/venv-sandbox/bin/python: Permission denied

It seems there is a problem with the sudoers.d file but I can't figure out what exactly.

Thanks,

Laszlo

jabbalaci avatar Oct 03 '13 17:10 jabbalaci

Hmm, I'm not sure what's causing your problem. I notice that your venv-sandbox is owned by root. Mine is owned by "ned", though not sure why that would matter.

Can you show your apparmor config file?

Next step after that would be to try loosening permissions, just as a diagnostic to find out what is being prevented.

--Ned.

On Thu, Oct 3, 2013 at 1:08 PM, Jabba Laci [email protected] wrote:

Hi Ned,

I tried it in dev. mode. My username is "jabba" and I have this directory structure:

jabba@jabba-VM-server ~/python/secure $ pwd /home/jabba/python/secure jabba@jabba-VM-server ~/python/secure $ ls -al drwxrwxr-x 5 jabba jabba 4096 okt 1 18:00 . drwx------ 4 jabba jabba 4096 okt 1 16:10 .. drwxr-xr-x 3 jabba jabba 4096 okt 1 16:51 codejail drwxrwxr-x 7 jabba jabba 4096 okt 1 16:26 venv drwxr-xr-x 6 root root 4096 okt 1 18:00 venv-sandbox

(It's not clear to me why the sandbox env. must be created with "sudo".)

The sandbox user is created as explained in Step 3. The /etc/sudoers.d/01-sandbox file is created:

jabba ALL=(sandbox) SETENV:NOPASSWD:/home/jabba/python/secure/venv-sandbox/bin/python jabba ALL=(ALL) NOPASSWD:/usr/bin/pkill

If I understand well, the 1st line means this: the user "jabba" can run the command .../python as user "sandbox".

The AppArmor profile is created as seen in Step 5.

Now in /home/jabba/python/secure I activate venv and launch the command nosetests. The result: FAILED (SKIP=1, errors=7, failures=23). The problem is this: sudo: unable to execute /home/jabba/python/secure/venv-sandbox/bin/python: Permission denied

I also tried to launch just .../venv-sandbox/bin/python as the user "sandbox":

[venv] jabba@jabba-VM-server ~/python/secure $ ls -al total 20 drwxrwxr-x 5 jabba jabba 4096 okt 1 18:00 . drwx------ 4 jabba jabba 4096 okt 1 16:10 .. drwxr-xr-x 3 jabba jabba 4096 okt 1 16:51 codejail drwxrwxr-x 7 jabba jabba 4096 okt 1 16:26 venv drwxr-xr-x 6 root root 4096 okt 1 18:00 venv-sandbox [venv] jabba@jabba-VM-server ~/python/secure $ sudo -u sandbox /home/jabba/python/secure/venv-sandbox/bin/python sudo: unable to execute /home/jabba/python/secure/venv-sandbox/bin/python: Permission denied

It seems there is a problem with the sudoers.d file but I can't figure out what exactly.

Thanks,

Laszlo

— Reply to this email directly or view it on GitHubhttps://github.com/edx/codejail/issues/17#issuecomment-25639024 .

nedbat avatar Oct 07 '13 20:10 nedbat

I'm getting this same error, but strangely when clicking on the "Check" button on this page: http://localhost:8000/courses/edX/Open_DemoX/edx_demo_course/courseware/interactive_demonstrations/basic_questions/

It's not clear to me why the codejail would be invoked when I'm checking whether I've dragged-and-dropped the words into the appropriate buckets.

Staff debug info: Traceback (most recent call last): File "/edx/app/edxapp/edx-platform/common/lib/xmodule/xmodule/capa_base.py", line 984, in check_problem correct_map = self.lcp.grade_answers(answers) File "/edx/app/edxapp/edx-platform/common/lib/capa/capa/capa_problem.py", line 330, in grade_answers return self._grade_answers(answers) File "/edx/app/edxapp/edx-platform/common/lib/capa/capa/capa_problem.py", line 392, in _grade_answers results = responder.evaluate_answers(self.student_answers, oldcmap) File "/edx/app/edxapp/edx-platform/common/lib/capa/capa/responsetypes.py", line 247, in evaluate_answers new_cmap = self.get_score(student_answers) File "/edx/app/edxapp/edx-platform/common/lib/capa/capa/responsetypes.py", line 1589, in get_score self.execute_check_function(idset, submission) File "/edx/app/edxapp/edx-platform/common/lib/capa/capa/responsetypes.py", line 1617, in execute_check_function self._handle_exec_exception(err) File "/edx/app/edxapp/edx-platform/common/lib/capa/capa/responsetypes.py", line 1751, in _handle_exec_exception raise ResponseError(err.message, traceback_obj) ResponseError: ("Couldn't execute jailed code: sudo: no tty present and no askpass program specified\nSorry, try again.\nsudo: no tty present and no askpass program specified\nSorry, try again.\nsudo: no tty present and no askpass program specified\nSorry, try again.\nsudo: 3 incorrect password attempts\n", <traceback object at 0x7f19ac1a59e0>)

natea avatar Jul 20 '14 15:07 natea

@natea the latest configuration scripts (johnnycake) weren't configured properly for codejail when running for development. You can fix the problem a few ways:

  1. if you don't care to run under a strict codejail environment, you can remove the virtualenv used for sandboxed execution. This will tell the server to go ahead and execute the code directly instead of with CodeJail: $ rm -rf /edx/app/edxapp/venvs/edxapp-sandbox

  2. if you want to run with CodeJail, you can fix the sudoers file: /etc/sudoers.d/95-sandbox has four lines in it, and they should all start with the name of the user running the LMS. If it says "www-data", it will work for fullstack. To make it work for devstack, change those four lines to have "edxapp" instead.

nedbat avatar Jul 20 '14 16:07 nedbat

I've running into a similar issue here https://github.com/edx/codejail/issues/29#issuecomment-59560671

venvs structure:

vagrant@precise64:/edx/app$ ls -la xserver/venvs/
total 16
drwxr-xr-x 4 xserver xserver 4096 Oct  9 20:43 .
drwxr-xr-x 4 xserver xserver 4096 Oct  6 20:22 ..
drwxr-xr-x 8 xserver xserver 4096 Oct  6 22:18 xserver
drwxr-xr-x 7 xserver xserver 4096 Oct 16 19:53 xserver-sandbox

/etc/sudoers.d/01-sandbox

vagrant@precise64:/edx/app$ sudo vi /etc/sudoers.d/01-sandbox
xserver ALL=(sandbox) SETENV:NOPASSWD:/edx/app/xserver/venvs/xserver-sandbox/bin/python
xserver ALL=(sandbox) SETENV:NOPASSWD:/usr/bin/find
xserver ALL=(ALL) NOPASSWD:/usr/bin/pkill
makeitso ALL=(sandbox) NOPASSWD:/usr/bin/python-sandbox

xserver sandbox virtual environment python seems to be working

(xserver)xserver@precise64:/edx/app/xserver/venvs$ sudo -u sandbox xserver-sandbox/bin/python
Python 2.7.3 (default, Feb 27 2014, 19:58:35) 
[GCC 4.6.3] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>>
vagrant@precise64:/edx/app$ sudo -u sandbox xserver/venvs/xserver-sandbox/bin/python
Python 2.7.3 (default, Feb 27 2014, 19:58:35) 
[GCC 4.6.3] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>>

morenopc avatar Oct 17 '14 19:10 morenopc

@morenopc I don't understand: do you have a problem that needs fixing?

nedbat avatar Oct 20 '14 15:10 nedbat

Yes @nedbat. Can you please take a look at https://github.com/edx/codejail/issues/29. Thanks.

morenopc avatar Oct 20 '14 17:10 morenopc