audit _run: fallback sans sudo si sudoers refuse bash -c (commandes read-only OK sans root)

2026-04-15 00:26:42 +02:00 · 2026-04-15 00:26:42 +02:00 · 7480bbf5ac
commit 7480bbf5ac
parent 2a10ec55ab
1 changed files with 14 additions and 2 deletions
--- a/app/services/realtime_audit_service.py
+++ b/app/services/realtime_audit_service.py
@ -233,17 +233,29 @@ def _connect(target, hostname=None):

 def _run(client, cmd):
    try:
-        # Tester si on est déjà root ou si on a besoin de sudo
+        # Test root vs sudo
        _, stdout, _ = client.exec_command("id -u", timeout=5)
        uid = stdout.read().decode().strip()
        if uid == "0":
-            full = cmd  # Déjà root, pas besoin de sudo
+            full = cmd
        else:
            escaped = cmd.replace("'", "'\"'\"'")
            full = f"sudo bash -c '{escaped}'"
        _, stdout, stderr = client.exec_command(full, timeout=15)
        out = stdout.read().decode("utf-8", errors="replace").strip()
        err = stderr.read().decode("utf-8", errors="replace").strip()
+
+        # Fallback sans sudo si sudoers refuse bash -c
+        if (not out) and err and ("pas autorisé" in err or "not allowed to execute" in err
+                                   or "is not allowed" in err or "command not found" in err.lower()):
+            _, stdout, stderr = client.exec_command(cmd, timeout=15)
+            out = stdout.read().decode("utf-8", errors="replace").strip()
+            err2 = stderr.read().decode("utf-8", errors="replace").strip()
+            if out:
+                err = ""
+            else:
+                err = err2 or err
+
        result = out if out else err
        lines = [l for l in result.splitlines() if not any(b in l for b in BANNER_FILTERS) and l.strip()]
        return "\n".join(lines).strip()