FileSystemProvider: no way of handling permissions issues

[bpasero]

Refs: #48421

Setup:

• clone https://github.com/bpasero/remote-fs
• F5
• click "Refresh" in the explorer
• you should see the current working directory as a remote folder using the file system provider for scheme datei://

I can think of 2 reasons why a permission error raises:

• user needs elevated rights to change a file or folder
• a file can be readonly (e.g. Windows) and to save it you need to first remove the readonly flag

Currently there does not seem to be a way to signal a) to save as elevated user or b) to remove the readonly flag.

I am not sure how relevant this is for any other file system provider that does not have these concepts but this is something our file service can do (via the options overwriteReadonly and writeElevated).

[jrieken]

I am not sure how relevant this is for any other file system provider that does not have these concepts but this is something our file service can do

Unsure, permissions and ownership is a common concept but I don't know how VS Code handles that...

[bpasero]

@jrieken the file service can return either FILE_READ_ONLY or FILE_PERMISSION_DENIED as FileOperationResult and this will surface as a notification in the UI to ask to either overwrite (the readonly one) or save as admin for the other one. If the user agrees, either overwriteReadonly or writeElevated will be set to true the next time we update the content.

I guess we would need to have similar options for the API but I am not sure how you would even possibly implement at least the writeElevated one.

[bpasero]

I pushed 4cce7c0 to be able to preserve the "Overwrite readonly" behavior with the new file system provider. This currently hardcodes a check for file:// scheme in a text file service that is node based. I think that is fine for now and I will need to do the same for saving elevated.

[plus-]

I've been looking the github issues and different discussions but I wasn't able to find a proper answer. As this is the closest issue to my question I though about asking here.

When implementing a FileSystemProvider (for example to a remote repository), can you set the editor as read-only based on the document/file permissions (for instance if the document is locked by another user)?

If not is there an API to set the editor as readOnly more generally, that I could make use of?

[bpasero]

@plus- this is currently not possible on a per-file basis, see #73122 for relevant feature request.

[TrevorSayre]

Would this address the scenario mentioned here:
microsoft/vscode-remote-release#390 (comment)

[yobyot]

I was very excited to discover SSH-Remote in vscode, thinking it could replace my (limited) vi skills. But, like the OP, I need to be able to sudo to change config files in places like /etc. The audience for this feature is admins who are not necessarily coders. For these kinds of users, who are administering production systems, the option of enabling root is a non-starter. I hope the vscode team finds a way to implement the ability to sudo remotely. That would make the system a killer remote admin environment.

[ZombieProtectionAgency]

@yobyot Until something is implemented the terminal works with SSH-Remote. So you can edit a file then save it anywhere on the server and sudo mv it in the terminal without switching windows.

[wottpal]

I came here for the exact same use case as @TrevorSayre (microsoft/vscode-remote-release#390):

I am mainly wanting this so I can edit files in /etc/nginx

It would be so damn helpful to use Vscode to remotely do some configuration on my servers!! Currently this is only possible with Atom, unfortunately..

[rob4226]

I was so excited to use this remote development extension with vscode but now seeing I can't edit any files the require permission elevation I was very disappointed...

Failed to save 'example.com': Unable to write file (NoPermissions (FileSystemError): Error: EACCES: permission denied, open '/etc/nginx/sites-available/example.com')

There must be some way to make it work. For example, I use this workaround with WinSCP when I want to work with elevated permissions but it doesn't work with vcscode:

user_name ALL=(ALL) NOPASSWD: /usr/lib/openssh/sftp-server

Then in WinSCP there is an option for it to execute a custom command prefixed with sudo like:
sudo /usr/lib/openssh/sftp-server

This allows WinSCP to automatically be able to write to any file without ever having to use any passwords while you have the file under /etc/sudoers.d with the NOPASSWD directive in place. I gladly trade security temporarily for this convenience as it's easy enough to comment out that directive when you don't need it.

How can this be done with vscode and the remote-ssh-development extension? Does it use sftp-server or something else and can you add sudo in front of whatever command vscode executes on the local machine to connect to the remote?

Thank you.

[jcvtieck]

I also need this feature to edit config files under /etc/...

[wottpal]

@bpasero Obviously there is a lot of demand regarding this issue

[PaulSearcy]

Going to chime in that I need it also for making changes to WP PHP files. Since the user and group is www-data

Wanted to give another use case for this.

[RoyTinker]

I just got the idea to use VSCode for viewing/editing Apache2 config files on our team's Jenkins server... but I ran into this issue pretty quickly.

I thought I might have a workaround by specifying sudo bash as the remote command to use and using the -t option in the ssh command line to keep the terminal shell open (hostname is redacted):

Open-ended support for any command-line option seems to be implied by the example text in the textbox ssh hello@microsoft.com -A. Sadly, it appears not -- the file permissions issue still appears when connecting this way.

[pradulmt]

Not able to edit library source in remote due to this issue, for ex: files under /usr/lib/python3/dist-packages/

[adilsaju]

Please add the feature and solve this, I was having trouble in editing files in aws instances. The user I ssh into is ec2-user but that doesn't give any perm to edit files having a high permission setting.

[thorstenhirsch]

Regarding problem (a) I don't think that the FS API is the right way to go. You probably don't want to solve this on a per-file basis, but to work on the remote machine under a different user than the one you used to login. So you want to call 'su -' or 'sudo -u apache -i' directly after ssh login. This is already possible! You can do that with a RemoteCommand in the ssh config:

Host foo
  HostName foo
  RemoteCommand sudo -u apache -i

The RemoteCommand was added to OpenSSH in 2017 and I can confirm that it works on macOS Catalina, even though vim's syntax highlighting doesn't recognize it, yet.

[ynot729]

it seems like it should be part of the ssh setup as @thorstenhirsch mentions

This is already possible! You can do that with a RemoteCommand in the ssh config:

Host foo
  HostName foo
  RemoteCommand sudo -u apache -i

It works when I try it directly in the command line but seems to be skipped when entered in the config file. @thorstenhirsch when you say it work do you mean from the command line or through the vscode connection?

[afischer-opentext-com]

Per the logs when configuring this, what reaches the ssh client is something like

[14:00:52.230] Running script with connection command: "C:\Program Files\Git\usr\bin\ssh.exe" -T -D 63356 -o RemoteCommand=none <remotehost> bash

So either there is something which actively Nulls the RemoteCommand or their needs to be some tweaking.

Update: Per microsoft/vscode-remote-release#158 this approach is not supported unfortunately.

[thorstenhirsch]

Yes, I'm sorry, my test was flawed. It really doesn't work due to -o RemoteCommand=none, which is a hard-coded parameter in the remote-ssh extension. I removed it (in the extension's extension.js) to see what happens:

• macOS client, ArchLinux server, w/o RemoteCommand: connection works
• macOS client, ArchLinux server, RemoteCommand sudo su -: could not establish ssh connection
• Win7 client, RHEL7 server, w/o RemoteCommand: error, something like "tried to write to a non-existent channel"
• Win7 client, RHEL7 server, RemoteCommand sudo -u some_user -i: error, something like "tried to write to a non-existent channel"

Guess that's the reason why they're using -o RemoteCommand=none.

[regislegrand]

For me the feature is not specific to root neither to save files. It's to become a specific user before loading the project.
I think vscode could simply provide a parameter to become a specific user, the same way ansible for example does it: https://docs.ansible.com/ansible/2.3/become.html

Finally, while I can't do this, I'll have to create a new key pair to ssh directly as the user I want ...

I really think this feature is legitimate and should be implemented.

Regards.

[anishjp]

@thorstenhirsch.

Does this still works on the latest version of VSCode?

sed -i -e s/"-o[^=]*RemoteCommand=none"/""/ ~/.vscode/extensions/ms-vscode-remote.remote-ssh-*/out/extension.js

Do I have to remove all the entries of "bash" or just the first entry?
sed -i -e s/"bash"/""/ ~/.vscode/extensions/ms-vscode-remote.remote-ssh-*/out/extension.js

What does -i in the below command do?

sudo -u normal_user -i

[yomikoye]

I also experienced the issue of not being able to edit config files.

Another thing I noticed is that some files are missing from the file explorer.
For example, a file belonging to another user/group inside /etc was not present in the remote explorer but can be viewed in the terminal using sudo ls /etc/path/to/file

[x0r0a]

Maybe this tiny workaround will be helpful for someone: I Made a hardlink in my home catalog to only root visible file with ln -P /root/some_file ~/some_file_hardlink. Now I can open it from my home catalog and save as root with the help of Save as Root in Remote - SSH plugin.

[thangph2146]

Hi every one,
I have this issue: [Save as Root] spawn sudo ENOENT.
I don't no how to fixed this.
Please help me, thanks so much.

[pingufreak]

"Save as Root" works, but I would also like to open files in /etc. First I thought this is a joke :). But it's true that this is open since years. Nice...

[raul-bns]

Hi, I dont know if that will work for any one but it's solution I found. I use extension remote tunnels to connect vscode to server. When I open the tunnel, I open as root, so when i connect with vscode i connect as root.

[TryTryAgain]

When I open the tunnel, I open as root

That's what people are trying to avoid

[raul-bns]

Ok, sorry I didn't follow all conversation

[raul-bns]

And why is that ? So I have a reason to stop doing it. Thanks

[TryTryAgain]

@raul-bns that is a security best practice. Root should not be allowed for remote login (therefore, for many of us, that's not even an option because of corporate/personal policies/practices). We would need to first login as non-root and still then to elevate privileges/gain permissions.

[raul-bns]

@TryTryAgain thanks a lot for your explenation. i'll do that. 👍🏼

[raul-bns]

Hey thanks and sorry I've discover that i was using very bad practice. 😅

[gizmola]

This workaround works for me:

~/.ssh/config:

Host <name>
Hostname <IP>
User <username>
RemoteCommand sudo su -
RequestTTY force

This is not a solution for people other than those who want to login as root. It also forces all ssh connections to that server to escalate to root. For many people, neither thing is wanted. If your actual goal is to become a non-root user, that does not have login credentials, this is untenable. I will say that essentially, people have been asking for the equivalent per connection capability to be configurable within the plugin.

[anishjp]

@7owl7
What does the command "RequestTTY force" do?

[gizmola]

@7owl7 What does the command "RequestTTY force" do?

It tells ssh that this connection requires a tty.

A tty (or in this case a pseudo-tty) is an interactive environment that provides a bunch of capabilities for when you connect to a server. For example, it supports certain character codes for interactive editing of text in the command line, and being able to stop a running program using ctrl-c.

When you connect to a server using ssh, and you don't provide any additional commands, the ssh server will create a pty. However, if you specify additional commands, ssh assumes that you don't want a pty, which could interfere with the commands you are sending. You also could be using ssh to transfer binary data, so again in that situation you don't want a pty that could interpret data as pty commands.

In this case, the configuration of RequestTTY force is associated with the RemoteCommand configuration, that will be immediately running (upon connection) the "sudo su -" command.

So it's overriding the default behavior of not having a PTY when there are additional commands to go with the ssh connection, so that ssh will always request the server provide a pty, if connecting as the specified user.

[luis02lopez]

Workaround, complementary extension to save as root: https://marketplace.visualstudio.com/items?itemName=yy0931.save-as-root

[ThatAnonyG]

Damn 5 years and this is still not a feature?

[Flameancer]

The extension mentioned above is a good alternative, but this should honestly be a feature already.

[khalidx]

I added a solution to this problem here! It is clean, doesn't require an extension, and just works.

microsoft/vscode-remote-release#1688 (comment)

[sumasagrp]

its 2024 would really love to have this feature natively for remote ssh

[crimsonvspurple]

Instead of handling complex permissions, please just allow us to switch the user after login. This will resolve 99% issues.

[weezy20]

7 years ...