Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FileSystemProvider: no way of handling permissions issues #48659

Open
bpasero opened this issue Apr 25, 2018 · 190 comments
Open

FileSystemProvider: no way of handling permissions issues #48659

bpasero opened this issue Apr 25, 2018 · 190 comments
Labels
feature-request Request for new features or functionality file-io File I/O remote Remote system operations issues
Milestone
Backlog

Comments

@bpasero
Copy link
Member

bpasero commented Apr 25, 2018

Refs: #48421

Setup:

  • clone https://github.com/bpasero/remote-fs
  • F5
  • click "Refresh" in the explorer
  • you should see the current working directory as a remote folder using the file system provider for scheme datei://

I can think of 2 reasons why a permission error raises:

  • user needs elevated rights to change a file or folder
  • a file can be readonly (e.g. Windows) and to save it you need to first remove the readonly flag

Currently there does not seem to be a way to signal a) to save as elevated user or b) to remove the readonly flag.

I am not sure how relevant this is for any other file system provider that does not have these concepts but this is something our file service can do (via the options overwriteReadonly and writeElevated).
@jrieken jrieken added feature-request Request for new features or functionality remote Remote system operations issues labels Apr 25, 2018
@jrieken
Copy link
Member

jrieken commented Apr 25, 2018

I am not sure how relevant this is for any other file system provider that does not have these concepts but this is something our file service can do

Unsure, permissions and ownership is a common concept but I don't know how VS Code handles that...

@bpasero
Copy link
Member Author

bpasero commented Apr 25, 2018

@jrieken the file service can return either FILE_READ_ONLY or FILE_PERMISSION_DENIED as FileOperationResult and this will surface as a notification in the UI to ask to either overwrite (the readonly one) or save as admin for the other one. If the user agrees, either overwriteReadonly or writeElevated will be set to true the next time we update the content.

I guess we would need to have similar options for the API but I am not sure how you would even possibly implement at least the writeElevated one.

@bpasero
Copy link
Member Author

bpasero commented Apr 10, 2019
edited
Loading

I pushed 4cce7c0 to be able to preserve the "Overwrite readonly" behavior with the new file system provider. This currently hardcodes a check for file:// scheme in a text file service that is node based. I think that is fine for now and I will need to do the same for saving elevated.

@plus-
Copy link

plus- commented May 6, 2019

I've been looking the github issues and different discussions but I wasn't able to find a proper answer. As this is the closest issue to my question I though about asking here.

When implementing a FileSystemProvider (for example to a remote repository), can you set the editor as read-only based on the document/file permissions (for instance if the document is locked by another user)?

If not is there an API to set the editor as readOnly more generally, that I could make use of?

@bpasero
Copy link
Member Author

bpasero commented May 7, 2019

@plus- this is currently not possible on a per-file basis, see #73122 for relevant feature request.

@bpasero bpasero mentioned this issue May 28, 2019
Closed
@TrevorSayre
Copy link

Would this address the scenario mentioned here:
microsoft/vscode-remote-release#390 (comment)

@yobyot
Copy link

yobyot commented Aug 22, 2019

I was very excited to discover SSH-Remote in vscode, thinking it could replace my (limited) vi skills. But, like the OP, I need to be able to sudo to change config files in places like /etc. The audience for this feature is admins who are not necessarily coders. For these kinds of users, who are administering production systems, the option of enabling root is a non-starter. I hope the vscode team finds a way to implement the ability to sudo remotely. That would make the system a killer remote admin environment.

@ZombieProtectionAgency
Copy link

@yobyot Until something is implemented the terminal works with SSH-Remote. So you can edit a file then save it anywhere on the server and sudo mv it in the terminal without switching windows.

@wottpal
Copy link

wottpal commented Sep 19, 2019
edited
Loading

I came here for the exact same use case as @TrevorSayre (microsoft/vscode-remote-release#390):

I am mainly wanting this so I can edit files in /etc/nginx

It would be so damn helpful to use Vscode to remotely do some configuration on my servers!! Currently this is only possible with Atom, unfortunately..

@rob4226
Copy link

rob4226 commented Sep 21, 2019

I was so excited to use this remote development extension with vscode but now seeing I can't edit any files the require permission elevation I was very disappointed...

Failed to save 'example.com': Unable to write file (NoPermissions (FileSystemError): Error: EACCES: permission denied, open '/etc/nginx/sites-available/example.com')

There must be some way to make it work. For example, I use this workaround with WinSCP when I want to work with elevated permissions but it doesn't work with vcscode:

user_name ALL=(ALL) NOPASSWD: /usr/lib/openssh/sftp-server

Then in WinSCP there is an option for it to execute a custom command prefixed with sudo like:
sudo /usr/lib/openssh/sftp-server

This allows WinSCP to automatically be able to write to any file without ever having to use any passwords while you have the file under /etc/sudoers.d with the NOPASSWD directive in place. I gladly trade security temporarily for this convenience as it's easy enough to comment out that directive when you don't need it.

How can this be done with vscode and the remote-ssh-development extension? Does it use sftp-server or something else and can you add sudo in front of whatever command vscode executes on the local machine to connect to the remote?

Thank you.

@jcvtieck
Copy link

I also need this feature to edit config files under /etc/...

@wottpal
Copy link

wottpal commented Sep 30, 2019

@bpasero Obviously there is a lot of demand regarding this issue

@PaulSearcy
Copy link

Going to chime in that I need it also for making changes to WP PHP files. Since the user and group is www-data

Wanted to give another use case for this.

@RoyTinker
Copy link

RoyTinker commented Oct 8, 2019
edited
Loading

I just got the idea to use VSCode for viewing/editing Apache2 config files on our team's Jenkins server... but I ran into this issue pretty quickly.

I thought I might have a workaround by specifying sudo bash as the remote command to use and using the -t option in the ssh command line to keep the terminal shell open (hostname is redacted):
image

Open-ended support for any command-line option seems to be implied by the example text in the textbox ssh hello@microsoft.com -A. Sadly, it appears not -- the file permissions issue still appears when connecting this way.

@pradulmt
Copy link

Not able to edit library source in remote due to this issue, for ex: files under /usr/lib/python3/dist-packages/

@roblourens roblourens mentioned this issue Oct 18, 2019
Open
@jrieken jrieken added this to the Backlog milestone Oct 21, 2019
@adilsaju
Copy link

adilsaju commented Nov 6, 2019

Please add the feature and solve this, I was having trouble in editing files in aws instances. The user I ssh into is ec2-user but that doesn't give any perm to edit files having a high permission setting.

@ericsnowcurrently ericsnowcurrently mentioned this issue Nov 11, 2019
Closed
@alefragnani alefragnani mentioned this issue Nov 12, 2019
Open
5 tasks
This was referenced Nov 12, 2019
Closed
Closed
@thorstenhirsch
Copy link

thorstenhirsch commented Nov 23, 2019
edited
Loading

Regarding problem (a) I don't think that the FS API is the right way to go. You probably don't want to solve this on a per-file basis, but to work on the remote machine under a different user than the one you used to login. So you want to call 'su -' or 'sudo -u apache -i' directly after ssh login. This is already possible! You can do that with a RemoteCommand in the ssh config:

Host foo
  HostName foo
  RemoteCommand sudo -u apache -i

The RemoteCommand was added to OpenSSH in 2017 and I can confirm that it works on macOS Catalina, even though vim's syntax highlighting doesn't recognize it, yet.

@ynot729
Copy link

ynot729 commented Nov 26, 2019

it seems like it should be part of the ssh setup as @thorstenhirsch mentions

This is already possible! You can do that with a RemoteCommand in the ssh config:

Host foo
  HostName foo
  RemoteCommand sudo -u apache -i

It works when I try it directly in the command line but seems to be skipped when entered in the config file. @thorstenhirsch when you say it work do you mean from the command line or through the vscode connection?

@afischer-opentext-com
Copy link

afischer-opentext-com commented Nov 29, 2019
edited
Loading

Per the logs when configuring this, what reaches the ssh client is something like

[14:00:52.230] Running script with connection command: "C:\Program Files\Git\usr\bin\ssh.exe" -T -D 63356 -o RemoteCommand=none <remotehost> bash

So either there is something which actively Nulls the RemoteCommand or their needs to be some tweaking.

Update: Per microsoft/vscode-remote-release#158 this approach is not supported unfortunately.

@thorstenhirsch
Copy link

Yes, I'm sorry, my test was flawed. It really doesn't work due to -o RemoteCommand=none, which is a hard-coded parameter in the remote-ssh extension. I removed it (in the extension's extension.js) to see what happens:

  • macOS client, ArchLinux server, w/o RemoteCommand: connection works
  • macOS client, ArchLinux server, RemoteCommand sudo su -: could not establish ssh connection
  • Win7 client, RHEL7 server, w/o RemoteCommand: error, something like "tried to write to a non-existent channel"
  • Win7 client, RHEL7 server, RemoteCommand sudo -u some_user -i: error, something like "tried to write to a non-existent channel"

Guess that's the reason why they're using -o RemoteCommand=none.

@Hajto
Copy link

Hajto commented Aug 18, 2022

We all are

@maxime1992
Copy link

I'm amazed that people are complaining on an open source and free software after all these years.

A few options for you:

  • Kindly wait until it's solved. You can even be supportive or provide useful ideas
  • It's as simple as you think it is and to prove your point, you raise a fix yourself
  • Put a 💲 on Fiver to get someone else to do the work for you and raise a PR

But when something is free and open source, try not to complain about a roadmap that doesn't fit your needs.

@wolfewa
Copy link

wolfewa commented Aug 28, 2022

To the point that maxime1992 made someone did fix this at least for the use case of editing config files. I had the same issue in editing nginx config files so I did the workaround mentioned save a copy in my home folder then use sudo cp to copy over the config file in /etc. I just started using this extension and it works perfectly. I don't have to run vscode as root the whole time just when I save the config file; much safer and the code is nice and small so you can read through it all.

Save as root by yy0931
https://marketplace.visualstudio.com/items?itemName=yy0931.save-as-root

@regislegrand
Copy link

For me the feature is not specific to root neither to save files. It's to become a specific user before loading the project.
I think vscode could simply provide a parameter to become a specific user, the same way ansible for example does it: https://docs.ansible.com/ansible/2.3/become.html

Finally, while I can't do this, I'll have to create a new key pair to ssh directly as the user I want ...

I really think this feature is legitimate and should be implemented.

Regards.

@anishjp
Copy link

anishjp commented Sep 7, 2022

@thorstenhirsch.

Does this still works on the latest version of VSCode?

sed -i -e s/"-o[^=]*RemoteCommand=none"/""/ ~/.vscode/extensions/ms-vscode-remote.remote-ssh-*/out/extension.js

Do I have to remove all the entries of "bash" or just the first entry?
sed -i -e s/"bash"/""/ ~/.vscode/extensions/ms-vscode-remote.remote-ssh-*/out/extension.js

What does -i in the below command do?

sudo -u normal_user -i

@yomikoye
Copy link

yomikoye commented Oct 3, 2022

I also experienced the issue of not being able to edit config files.

Another thing I noticed is that some files are missing from the file explorer.
For example, a file belonging to another user/group inside /etc was not present in the remote explorer but can be viewed in the terminal using sudo ls /etc/path/to/file

@x0r0a
Copy link

x0r0a commented Dec 19, 2022

Maybe this tiny workaround will be helpful for someone: I Made a hardlink in my home catalog to only root visible file with ln -P /root/some_file ~/some_file_hardlink. Now I can open it from my home catalog and save as root with the help of Save as Root in Remote - SSH plugin.

@thangph2146
Copy link

Hi every one,
I have this issue: [Save as Root] spawn sudo ENOENT.
I don't no how to fixed this.
Please help me, thanks so much.

@eleanorjboyd eleanorjboyd mentioned this issue Jan 23, 2023
Closed
5 tasks
@pingufreak
Copy link

"Save as Root" works, but I would also like to open files in /etc. First I thought this is a joke :). But it's true that this is open since years. Nice...

@raul-bns
Copy link

Hi, I dont know if that will work for any one but it's solution I found. I use extension remote tunnels to connect vscode to server. When I open the tunnel, I open as root, so when i connect with vscode i connect as root.

@TryTryAgain
Copy link

When I open the tunnel, I open as root

That's what people are trying to avoid

@raul-bns
Copy link

raul-bns commented Feb 1, 2023

Ok, sorry I didn't follow all conversation

@raul-bns
Copy link

raul-bns commented Feb 1, 2023

And why is that ? So I have a reason to stop doing it. Thanks

@TryTryAgain
Copy link

@raul-bns that is a security best practice. Root should not be allowed for remote login (therefore, for many of us, that's not even an option because of corporate/personal policies/practices). We would need to first login as non-root and still then to elevate privileges/gain permissions.

@raul-bns
Copy link

raul-bns commented Feb 2, 2023

@TryTryAgain thanks a lot for your explenation. i'll do that. 👍🏼

@raul-bns
Copy link

raul-bns commented Feb 2, 2023

Hey thanks and sorry I've discover that i was using very bad practice. 😅

@bpasero bpasero mentioned this issue Feb 15, 2023
Closed
@alefragnani alefragnani mentioned this issue Mar 17, 2023
Closed
@roblourens roblourens mentioned this issue Apr 5, 2023
Closed
@gizmola
Copy link

gizmola commented May 2, 2023

This workaround works for me:

~/.ssh/config:

Host <name>
Hostname <IP>
User <username>
RemoteCommand sudo su -
RequestTTY force

This is not a solution for people other than those who want to login as root. It also forces all ssh connections to that server to escalate to root. For many people, neither thing is wanted. If your actual goal is to become a non-root user, that does not have login credentials, this is untenable. I will say that essentially, people have been asking for the equivalent per connection capability to be configurable within the plugin.

@anishjp
Copy link

anishjp commented May 3, 2023

@7owl7
What does the command "RequestTTY force" do?

@gizmola
Copy link

gizmola commented May 3, 2023
edited
Loading

@7owl7 What does the command "RequestTTY force" do?

It tells ssh that this connection requires a tty.

A tty (or in this case a pseudo-tty) is an interactive environment that provides a bunch of capabilities for when you connect to a server. For example, it supports certain character codes for interactive editing of text in the command line, and being able to stop a running program using ctrl-c.

When you connect to a server using ssh, and you don't provide any additional commands, the ssh server will create a pty. However, if you specify additional commands, ssh assumes that you don't want a pty, which could interfere with the commands you are sending. You also could be using ssh to transfer binary data, so again in that situation you don't want a pty that could interpret data as pty commands.

In this case, the configuration of RequestTTY force is associated with the RemoteCommand configuration, that will be immediately running (upon connection) the "sudo su -" command.

So it's overriding the default behavior of not having a PTY when there are additional commands to go with the ssh connection, so that ssh will always request the server provide a pty, if connecting as the specified user.

@luis02lopez
Copy link

Workaround, complementary extension to save as root: https://marketplace.visualstudio.com/items?itemName=yy0931.save-as-root

@ThatAnonyG
Copy link

Damn 5 years and this is still not a feature?

@roblourens roblourens mentioned this issue May 18, 2023
Closed
3 tasks
@Flameancer
Copy link

The extension mentioned above is a good alternative, but this should honestly be a feature already.

@khalidx
Copy link

khalidx commented Sep 6, 2023

I added a solution to this problem here! It is clean, doesn't require an extension, and just works.

microsoft/vscode-remote-release#1688 (comment)

@sumasagrp
Copy link

its 2024 would really love to have this feature natively for remote ssh

@jeanp413 jeanp413 mentioned this issue May 31, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature-request Request for new features or functionality file-io File I/O remote Remote system operations issues
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests